Re: Need help port Forwarding a pix 501

Ceejay999 · ‎04-18-2011

Hello, and thanks for taking the time to look over the thread. I need some help getting a pix 501 to port foward to a DVR behind it.

The Pix is responsible for the VPN as well, so i am a bit nervous of getting anything wrong on this one. We have a Wide Area network setup all throughout the city all connected through cisco's and VPN's. I, unfortuantely, lost my cisco guy, and need to get a DVR visible remotely quickly for the police to have access to it via the web.

This is the setup.

Comcast business class Modem with static IP of A.B.C.D.

Connects to a cisco pix 501, which acts as the connect point for the VPN behind it. Acts as the gateway 192.168.20.1.

Behind this in the network is a panasonic WJ-616 DVR with IP address 192.168.20.255 with port access on port 93. This is the thing I need to get access to the outside.

I can handle the port forwarding from the comcast to the pix with little issue, and I know a few of the basic cisco router commands for port forwarding, but the PIX seems to be a different beast.

With the comcast modem forwarding A.B.C.D:93 to the Pix, what would i need to add to the config of the PIX to then forward that to the DVR behind it?

Any and all help is greatly appreciated, thank you!

-Chris

kcapoor · ‎04-19-2011

Hi chris,

you can try these command if it is TCP use tcp otherwise UDP in place of tcp below.

ip address outside
ip address inside 192.168.20.255 255.255.255.0
static (inside,outside) tcp interface 93 192.168.20.255 93 netmask
255.255.255.255 0 0
access-list WEB_SERVER_ACL permit tcp any interface outside eq 93
access-group WEB_SERVER_ACL in interface outside.

please mark this answered if this help.

thanks

karan

Ceejay999 · ‎04-19-2011

Well this didn't work, heh. It brought the whole site down. Rather obvious wh

y when i look at the running config. So i figured I'd best post that.

I have to admit I don't know what half of it does. :/

here is the PIX's current Running Config: ( i changed two IP's to 10.10.10.10 our static IP, and 20.20.20.20 which is the VPN static IP at our main site)

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname Somewhere
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service vnc tcp
port-object range 5900 5900
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.20.0 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.255 outside
pdm location 192.168.0.0 255.255.255.0 outside
pdm location 10.10.10.10 255.255.255.255 outside
pdm location 192.168.20.20 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.10.10.10 192.168.20.20 netmask 255.255.255.255 0 0
conduit permit tcp host 10.10.10.10 any
timeout xlate 0:05:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp enable outside
telnet 192.168.0.0 255.255.255.0 outside
telnet 192.168.20.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.20.50-192.168.20.150 inside
dhcpd dns 192.168.0.2 68.87.64.146
dhcpd wins 192.168.0.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username stuff is encrypted privilege 15
vpnclient server 20.20.20.20
vpnclient mode client-mode
vpnclient vpngroup stuff password ********
vpnclient username stuff password ********
vpnclient enable
terminal width 80
Cryptochecksum:ce001478f053635970e7b2ebce1fbe89
: end
somewhere#

kcapoor · ‎04-20-2011

sorry about bringing the site down....didnt know you had dynamic IP on outside interface ,also i dont c any access list applied in your config so let me rephrase the config you can try .

ip address outside dhcp setroute retry 4
ip address inside 192.168.20.1 255.255.255.0
access-list inbound permit tcp any any eq 93
access-list inbound permit udp any any eq 93
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 93 192.168.20.20 93 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 93 192.168.20.20 93 netmask 255.255.255.255 0 0
access-group inbound in interface outside

i have put 2 command for access-list and static command on for TCP and other for UDP . if you are sure about the protocol (TCP/UDP) you can enter just that one.

if this also didnt help ...i would suggest putting up this question in Firewall section.

regards

karan

Ceejay999 · ‎04-21-2011

Thanks again for your help. It did not work, but due to time constraints of having to get this viewable, I just

ran a new line through the wall directly from the modem.

Thanks again for trying though.