Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem
From: Dave (firewall_at_dsrtech.com)
Date: 09/04/04
- Previous message: Stephen P. Berry: "Re: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]"
- In reply to: Robert McIntosh: "Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem"
- Next in thread: Kerry Thompson: "Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Robert McIntosh <mcintoshrt@comcast.net> Date: Fri, 03 Sep 2004 23:39:49 -0400
your config looks find. you may want to nmap your local hosts and ensure
the server ports you are attempting to connect to through the pix are
actually open.
other than that look on Cisco for any bug with the use of names in ACLs
and named ACLs.
On Fri, 2004-09-03 at 17:05, Robert McIntosh wrote:
> My apologies for my newbie-status. Changed passwords (whoops) and
> followed suggestions. Still no pass through on any of the redirected
> ports, "connection refused". I'm willing to cough up some change($40)
> to someone who can solve my dilemma. Simply trying to allow ports 80,
> 443, 995, 25, and 22 through to their respect private IPs. What am I
> doing wrong?
>
> Thanks everyone,
> Robert
> ---
> : Saved
> : Written by robert at 06:53:19.745 PDT Fri Sep 3 2004
> PIX Version 6.3(3)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname giggles
> clock timezone PST -8
> clock summer-time PDT recurring
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> name 10.0.0.7 europa
> name 10.0.0.3 ganymede
> access-list outside_in permit tcp any interface outside eq www
> access-list outside_in permit tcp any interface outside eq https
> access-list outside_in permit tcp any interface outside eq ssh
> access-list outside_in permit tcp any interface outside eq smtp
> access-list outside_in permit tcp any interface outside eq 995
> pager lines 24
> logging on
> logging console informational
> mtu outside 1500
> mtu inside 1500
> ip address outside dhcp setroute
> ip address inside 10.0.0.6 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm location 10.0.0.0 255.255.255.255 inside
> pdm location ganymede 255.255.255.255 inside
> pdm location europa 255.255.255.255 inside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 10.0.0.0 255.255.255.0 0 0
> static (inside,outside) tcp interface https europa https netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface ssh europa ssh netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface smtp ganymede smtp netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface 995 ganymede 995 netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface www europa www netmask
> 255.255.255.255 0 0
> access-group outside_in in interface outside
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> aaa authentication enable console LOCAL
> aaa authentication ssh console LOCAL
> http server enable
> http 10.0.0.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> telnet timeout 5
> ssh 10.0.0.0 255.255.255.0 inside
> ssh timeout 45
> console timeout 0
> dhcpd address europa-10.0.0.134 inside
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd auto_config outside
> dhcpd enable inside
> terminal width 80
> banner motd Welcome to giggles.
> Cryptochecksum:c468c328ce47b4f0df0f96a63683ca11
>
>
> Mark R. wrote:
>
> >Robert,
> >
> >Your problem looks to be in the access list that is
> >assigned to the outside interface (access-list
> >outside_access_in).
> >
> >The syntax of the acl allowing www access to europa is
> >incorrect, also, the remaining lines to allow access
> >for https, smtp, and ssh are missing.
> >
> >It should read as follows:
> >
> >access-list outside_access_in permit tcp any interface
> >outside eq www
> >
> >access-list outside_access_in permit tcp any interface
> >outside eq https
> >
> >access-list outside_access_in permit tcp any interface
> >outside eq ssh
> >
> >access-list outside_access_in permit tcp any interface
> >outside eq smtp
> >
> >access-list outside_access_in permit tcp any interface
> >outside eq 995
> >
> >On a side note, I would suggest that you remove
> >usernames and passwords from configs before you paste
> >them.
> >
> >hth,
> >
> >Mark
> >
> >
> >
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Stephen P. Berry: "Re: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]"
- In reply to: Robert McIntosh: "Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem"
- Next in thread: Kerry Thompson: "Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
