Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
768
Views
0
Helpful
4
Replies

Port forwarding with PIX 501

Go to solution
blazing10
Level 1
Level 1

‎10-01-2005 07:46 AM - edited ‎02-21-2020 12:26 AM

I'm trying to get my PIX 501 to forward traffic on port 1412 with both TCP and UDP to use Direct Connect, and the problem I'm having is I can connect to a DC hub, but cannot make connections with users.

I've added the following to the factory default config with partial success:

access-list outside permit tcp any host 192.168.100.20 eq 1412

access-list outside permit udp any host 192.168.100.20 eq 1412

static (inside,outside) tcp interface 1412 192.168.100.20 1412 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1412 192.168.100.20 1412 netmask 255.255.255.255 0 0

In the debugging log I setup for the access list rule I these type of errors:

Deny tcp src outside other.users.ip.addr/3099 dst inside my.public.ip.addr/1412 by access-group "access_outside_in"

Tcp request discarded other.users.ip.addr/2362 to outside my.public.ip.addr/45961

I'm pretty lost as to why it's not working when I think it should. I've tried multiple ways, opening port ranges, and no luck getting a sucsessful forwarding of the port.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jmia
Level 7
Level 7
In response to blazing10

‎10-01-2005 10:50 AM

Can you change you outside ACL to the following:

access-list outside permit tcp any host eq 1412

access-list outside permit udp any host eq 1412

access-group outside in interface outside

Again save with: write mem and also issue: clear xlate

Let me know if this works.

Jay

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jmia
Level 7
Level 7

‎10-01-2005 08:21 AM

You have two ACL's on the outside interface, one for TCP and one for UDP but your static does not match the UDP ACL!!

Try changing to:

access-list outside permit tcp any host 192.168.100.20 eq 1412

access-list outside permit udp any host 192.168.100.20 eq 1412

access-group outside in interface outside

static (inside,outside) tcp interface 1412 192.168.100.20 1412 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 1412 192.168.100.20 1412 netmask 255.255.255.255 0 0

Save with: write mem and issue: clear xlate

Hope this helps.

Jay

0 Helpful

Go to solution
blazing10
Level 1
Level 1
In response to jmia

‎10-01-2005 09:47 AM

Sorry that was a typo, here is the current running config, that is still not working:

Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password

passwd

hostname pixfirewall

domain-name ciscopix.com

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside permit tcp any eq 1412 interface outside eq 1412 log 7

access-list outside permit udp any eq 1412 interface outside eq 1412 log 7

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.100.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.100.20 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 1412 192.168.100.20 1412 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 1412 192.168.100.20 1412 netmask 255.255.255.255 0 0

access-group outside in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

[OK]

It's the default with just those lines added, and a clear xlate afterwords.

0 Helpful

Go to solution
jmia
Level 7
Level 7
In response to blazing10

‎10-01-2005 10:50 AM

Can you change you outside ACL to the following:

access-list outside permit tcp any host eq 1412

access-list outside permit udp any host eq 1412

access-group outside in interface outside

Again save with: write mem and also issue: clear xlate

Let me know if this works.

Jay

0 Helpful

Go to solution
blazing10
Level 1
Level 1
In response to jmia

‎10-01-2005 02:17 PM

That works!

Can you explain how or why that command works versus the standard one that should work?

Also, thanks for your help Jay.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card