Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem

From: Kerry Thompson (kerry_at_crypt.gen.nz)
Date: 09/04/04

Next message: Bill Royds: "RE: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]"

Previous message: Dave: "Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem"
In reply to: Robert McIntosh: "Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem"
Next in thread: Robert McIntosh: "Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem"
Reply: Robert McIntosh: "Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Robert McIntosh <mcintoshrt@comcast.net>
Date: Sat, 04 Sep 2004 18:59:32 +1200

'connection refused' indicates you're hitting a server with the port
closed ( no process listening on it ). Check your server is listening,
and that its IP address is the same as what you've got configured on the
PIX. Maybe run a packet sniffer on the inside.

Its also a good idea to run 'clear xlate' on the PIX whenever you make
changes to NAT stuff, just to remove any state which is already there.

I've eyeballed your PIX config and it looks OK at this stage.

Kerry

On Sat, 2004-09-04 at 09:05, Robert McIntosh wrote:
> My apologies for my newbie-status. Changed passwords (whoops) and
> followed suggestions. Still no pass through on any of the redirected
> ports, "connection refused". I'm willing to cough up some change($40)
> to someone who can solve my dilemma. Simply trying to allow ports 80,
> 443, 995, 25, and 22 through to their respect private IPs. What am I
> doing wrong?
>
> Thanks everyone,
> Robert
> ---
> : Saved
> : Written by robert at 06:53:19.745 PDT Fri Sep 3 2004
> PIX Version 6.3(3)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname giggles
> clock timezone PST -8
> clock summer-time PDT recurring
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> name 10.0.0.7 europa
> name 10.0.0.3 ganymede
> access-list outside_in permit tcp any interface outside eq www
> access-list outside_in permit tcp any interface outside eq https
> access-list outside_in permit tcp any interface outside eq ssh
> access-list outside_in permit tcp any interface outside eq smtp
> access-list outside_in permit tcp any interface outside eq 995
> pager lines 24
> logging on
> logging console informational
> mtu outside 1500
> mtu inside 1500
> ip address outside dhcp setroute
> ip address inside 10.0.0.6 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm location 10.0.0.0 255.255.255.255 inside
> pdm location ganymede 255.255.255.255 inside
> pdm location europa 255.255.255.255 inside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 10.0.0.0 255.255.255.0 0 0
> static (inside,outside) tcp interface https europa https netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface ssh europa ssh netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface smtp ganymede smtp netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface 995 ganymede 995 netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface www europa www netmask
> 255.255.255.255 0 0
> access-group outside_in in interface outside
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> aaa authentication enable console LOCAL
> aaa authentication ssh console LOCAL
> http server enable
> http 10.0.0.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> telnet timeout 5
> ssh 10.0.0.0 255.255.255.0 inside
> ssh timeout 45
> console timeout 0
> dhcpd address europa-10.0.0.134 inside
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd auto_config outside
> dhcpd enable inside
> terminal width 80
> banner motd Welcome to giggles.
> Cryptochecksum:c468c328ce47b4f0df0f96a63683ca11
>
>
> Mark R. wrote:
>
> >Robert,
> >
> >Your problem looks to be in the access list that is
> >assigned to the outside interface (access-list
> >outside_access_in).
> >
> >The syntax of the acl allowing www access to europa is
> >incorrect, also, the remaining lines to allow access
> >for https, smtp, and ssh are missing.
> >
> >It should read as follows:
> >
> >access-list outside_access_in permit tcp any interface
> >outside eq www
> >
> >access-list outside_access_in permit tcp any interface
> >outside eq https
> >
> >access-list outside_access_in permit tcp any interface
> >outside eq ssh
> >
> >access-list outside_access_in permit tcp any interface
> >outside eq smtp
> >
> >access-list outside_access_in permit tcp any interface
> >outside eq 995
> >
> >On a side note, I would suggest that you remove
> >usernames and passwords from configs before you paste
> >them.
> >
> >hth,
> >
> >Mark
> >
> >
> >
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

-- 
Kerry Thompson, CCNA CISSP
IT Security Consultant
Auckland, New Zealand
http://www.crypt.gen.nz
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Bill Royds: "RE: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]"

Previous message: Dave: "Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem"
In reply to: Robert McIntosh: "Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem"
Next in thread: Robert McIntosh: "Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem"
Reply: Robert McIntosh: "Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem
... > fixup protocol dns maximum-length 512 ... > pdm location europa 255.255.255.255 inside ... > static tcp interface https europa https netmask ... > static tcp interface ssh europa ssh netmask ...
(Firewall-Wizards)
Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem
... >>fixup protocol http 80 ... >>pdm location europa 255.255.255.255 inside ... >>static tcp interface ssh europa ssh netmask ... >>telnet timeout 5 ...
(Firewall-Wizards)
Re: Open up ssh for remote access on PIX 501
... I don't need an rsa key for ssh. ... >> fixup protocol dns maximum-length 512 ... >> port-object eq www ... >> isakmp policy 20 authentication pre-share ...
(comp.dcom.sys.cisco)
Re: Open up ssh for remote access on PIX 501
... > Can you please tell me why I can't connect via ssh on this config since ... > fixup protocol dns maximum-length 512 ... > timeout xlate 0:05:00 ... > isakmp policy 20 authentication pre-share ...
(comp.dcom.sys.cisco)
Re: Object-group help on PIX 501
... Open up ssh for remote access on PIX 501 ... > fixup protocol dns maximum-length 512 ... > timeout xlate 0:05:00 ... > isakmp policy 20 authentication pre-share ...
(comp.dcom.sys.cisco)