05-30-2012 02:15 PM - edited 03-11-2019 04:13 PM
We recently bought a Buffalo linkstation nas device which has web capabilities and I need to open port 9000 (both ways) in order for this to work. Its been a while since I did anything cisco related and despite my best efforts its still not working. I need all trafic from the outside on port 9000 to be forwarded to this device. Cna someone please help me with this rule
Building configuration... : Saved : PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password enable password passwd hostname pixfirewall domain-name www.*********.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 no fixup protocol sip 5060 no fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list gainsville permit ip 172.*.*.0 255.255.255.0 10.*.*.0 255.255.255.0 access-list 130 permit ip any any access-list 123 permit tcp any host 98.*.*.* eq 69 access-list 123 permit tcp any host 98.*.*.* eq h323 access-list 123 permit udp any host 98.*.*.* eq 5060 access-list 123 permit tcp any host 98.*.*.* range 10015 10064 access-list 123 permit udp any host 98.*.*.* eq 10060 access-list 123 permit tcp any host 98.*.*.* range 49151 49800 access-list 123 permit udp any host 98.*.*.* range 49151 49800 access-list 123 permit tcp any any eq pptp access-list 123 permit gre any any access-list 123 permit ip host 216.*.*.* any access-list 123 permit tcp any any eq 10050 access-list 123 permit icmp any any access-list 123 permit tcp 216.*.*.* 255.255.255.0 host 98.*.*.* eq www access-list 123 permit tcp 216.*.*.* 255.255.255.0 host 98.*.*.* eq www access-list 123 deny tcp any host 98.*.*.* eq www access-list 123 permit ip any host 98.*.*.* access-list 123 permit tcp 216.*.*.* 255.255.255.0 host 98.*.*.* eq 3389 access-list 123 permit tcp 216.*.*.* 255.255.255.0 host 98.*.*.* eq 3389 access-list 123 deny tcp any host 98.*.*.* eq 3389 access-list 123 permit tcp any any eq 9000 access-list nonat permit ip 172.*.*.* 255.255.255.0 10.*.*.* 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 98.*.*.* 255.255.255.248 ip address inside 172.*.*.* 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 172.*.*.* 255.255.255.255 inside pdm location 172.*.*.* 255.255.255.255 inside pdm location 172.*.*.* 255.255.255.255 inside pdm location 172.*.*.* 255.255.255.255 inside pdm location 172.0.0.0 255.0.0.0 inside pdm location 192.168.1.0 255.255.255.0 inside pdm location 10.0.0.0 255.255.255.0 outside pdm location 216.*.*.* 255.255.255.255 outside pdm location 216.*.*.* 255.255.255.0 outside pdm location 216.*.*.* 255.255.255.0 outside pdm location 98.*.*.* 255.255.255.0 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface global (outside) 2 98.141.142.93 netmask 255.255.255.224 nat (inside) 0 access-list nonat nat (inside) 2 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp 98.*.*.90 9000 172.*.*.2 9000 netmask 255.255.255.255 0 0 static (inside,outside) 98.*.*.91 172.*.*.61 netmask 255.255.255.255 0 0 static (inside,outside) 98.*.*.92 172.*.*.125 netmask 255.255.255.255 0 0 access-group 123 in interface outside access-group 130 in interface inside route outside 0.0.0.0 0.0.0.0 98.*.*.89 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside http 172.*.*.1 255.255.255.255 inside http 172.*.*.2 255.255.255.255 inside http 172.*.*.61 255.255.255.255 inside snmp-server host outside 216.*.*.217 poll no snmp-server location no snmp-server contact snmp-server community r3m4x no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set gainsville esp-3des esp-sha-hmac crypto map vpn 1 ipsec-isakmp crypto map vpn 1 match address gainsville crypto map vpn 1 set peer 74.92.148.25 crypto map vpn 1 set transform-set gainsville crypto map vpn interface outside isakmp enable outside isakmp key ******** address 74.*.*.25 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 1 isakmp policy 1 lifetime 86400 telnet 0.0.0.0 0.0.0.0 outside telnet 172.0.0.0 255.0.0.0 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 60 console timeout 0 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80
Solved! Go to Solution.
05-31-2012 05:12 AM
Is 98.*.*.90 the PIX outside interface IP Address? or is it a spare IP Address in the same subnet?
If it's the outside ip address, than the static statement should be:
static (inside,outside) tcp interface 9000 172.*.*.2 9000 netmask 255.255.255.255
05-31-2012 05:12 AM
Is 98.*.*.90 the PIX outside interface IP Address? or is it a spare IP Address in the same subnet?
If it's the outside ip address, than the static statement should be:
static (inside,outside) tcp interface 9000 172.*.*.2 9000 netmask 255.255.255.255
05-31-2012 12:53 PM
Thanks for replying It turned out to be an issue with the nas device and not my settings on the pix. Your answer however is correct for the question that I asked.......Kudos
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide