Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem

From: Robert McIntosh (mcintoshrt_at_comcast.net)
Date: 09/05/04

  • Next message: Skander Ben Mansour: "[fw-wiz] Linux Firewall Distributions - Summary" 
    To: firewall-wizards@honor.icsalabs.com
Date: Sat, 04 Sep 2004 19:48:03 -0700

    Thanks for everyone's help. The WAN port was set to "off". A biggy
    dummy here. Thanks again.

    Kerry Thompson wrote:

    >'connection refused' indicates you're hitting a server with the port
    >closed ( no process listening on it ). Check your server is listening,
    >and that its IP address is the same as what you've got configured on the
    >PIX. Maybe run a packet sniffer on the inside.
    >
    >Its also a good idea to run 'clear xlate' on the PIX whenever you make
    >changes to NAT stuff, just to remove any state which is already there.
    >
    >I've eyeballed your PIX config and it looks OK at this stage.
    >
    >Kerry
    >
    >On Sat, 2004-09-04 at 09:05, Robert McIntosh wrote:
    >
    >
    >>My apologies for my newbie-status. Changed passwords (whoops) and
    >>followed suggestions. Still no pass through on any of the redirected
    >>ports, "connection refused". I'm willing to cough up some change($40)
    >>to someone who can solve my dilemma. Simply trying to allow ports 80,
    >>443, 995, 25, and 22 through to their respect private IPs. What am I
    >>doing wrong?
    >>
    >>Thanks everyone,
    >>Robert
    >>---
    >>: Saved
    >>: Written by robert at 06:53:19.745 PDT Fri Sep 3 2004
    >>PIX Version 6.3(3)
    >>interface ethernet0 auto
    >>interface ethernet1 100full
    >>nameif ethernet0 outside security0
    >>nameif ethernet1 inside security100
    >>hostname giggles
    >>clock timezone PST -8
    >>clock summer-time PDT recurring
    >>fixup protocol dns maximum-length 512
    >>fixup protocol ftp 21
    >>fixup protocol h323 h225 1720
    >>fixup protocol h323 ras 1718-1719
    >>fixup protocol http 80
    >>fixup protocol rsh 514
    >>fixup protocol rtsp 554
    >>fixup protocol sip 5060
    >>fixup protocol sip udp 5060
    >>fixup protocol skinny 2000
    >>fixup protocol smtp 25
    >>fixup protocol sqlnet 1521
    >>fixup protocol tftp 69
    >>names
    >>name 10.0.0.7 europa
    >>name 10.0.0.3 ganymede
    >>access-list outside_in permit tcp any interface outside eq www
    >>access-list outside_in permit tcp any interface outside eq https
    >>access-list outside_in permit tcp any interface outside eq ssh
    >>access-list outside_in permit tcp any interface outside eq smtp
    >>access-list outside_in permit tcp any interface outside eq 995
    >>pager lines 24
    >>logging on
    >>logging console informational
    >>mtu outside 1500
    >>mtu inside 1500
    >>ip address outside dhcp setroute
    >>ip address inside 10.0.0.6 255.255.255.0
    >>ip audit info action alarm
    >>ip audit attack action alarm
    >>pdm location 10.0.0.0 255.255.255.255 inside
    >>pdm location ganymede 255.255.255.255 inside
    >>pdm location europa 255.255.255.255 inside
    >>pdm logging informational 100
    >>pdm history enable
    >>arp timeout 14400
    >>global (outside) 1 interface
    >>nat (inside) 1 10.0.0.0 255.255.255.0 0 0
    >>static (inside,outside) tcp interface https europa https netmask
    >>255.255.255.255 0 0
    >>static (inside,outside) tcp interface ssh europa ssh netmask
    >>255.255.255.255 0 0
    >>static (inside,outside) tcp interface smtp ganymede smtp netmask
    >>255.255.255.255 0 0
    >>static (inside,outside) tcp interface 995 ganymede 995 netmask
    >>255.255.255.255 0 0
    >>static (inside,outside) tcp interface www europa www netmask
    >>255.255.255.255 0 0
    >>access-group outside_in in interface outside
    >>timeout xlate 0:05:00
    >>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    >>1:00:00
    >>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    >>timeout uauth 0:05:00 absolute
    >>aaa-server TACACS+ protocol tacacs+
    >>aaa-server RADIUS protocol radius
    >>aaa-server LOCAL protocol local
    >>aaa authentication enable console LOCAL
    >>aaa authentication ssh console LOCAL
    >>http server enable
    >>http 10.0.0.0 255.255.255.0 inside
    >>no snmp-server location
    >>no snmp-server contact
    >>snmp-server community public
    >>no snmp-server enable traps
    >>floodguard enable
    >>telnet timeout 5
    >>ssh 10.0.0.0 255.255.255.0 inside
    >>ssh timeout 45
    >>console timeout 0
    >>dhcpd address europa-10.0.0.134 inside
    >>dhcpd lease 3600
    >>dhcpd ping_timeout 750
    >>dhcpd auto_config outside
    >>dhcpd enable inside
    >>terminal width 80
    >>banner motd Welcome to giggles.
    >>Cryptochecksum:c468c328ce47b4f0df0f96a63683ca11
    >>
    >>
    >>Mark R. wrote:
    >>
    >>
    >>
    >>>Robert,
    >>>
    >>>Your problem looks to be in the access list that is
    >>>assigned to the outside interface (access-list
    >>>outside_access_in).
    >>>
    >>>The syntax of the acl allowing www access to europa is
    >>>incorrect, also, the remaining lines to allow access
    >>>for https, smtp, and ssh are missing.
    >>>
    >>>It should read as follows:
    >>>
    >>>access-list outside_access_in permit tcp any interface
    >>>outside eq www
    >>>
    >>>access-list outside_access_in permit tcp any interface
    >>>outside eq https
    >>>
    >>>access-list outside_access_in permit tcp any interface
    >>>outside eq ssh
    >>>
    >>>access-list outside_access_in permit tcp any interface
    >>>outside eq smtp
    >>>
    >>>access-list outside_access_in permit tcp any interface
    >>>outside eq 995
    >>>
    >>>On a side note, I would suggest that you remove
    >>>usernames and passwords from configs before you paste
    >>>them.
    >>>
    >>>hth,
    >>>
    >>>Mark
    >>>
    >>>
    >>>
    >>>
    >>>
    >>_______________________________________________
    >>firewall-wizards mailing list
    >>firewall-wizards@honor.icsalabs.com
    >>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >>
    >>
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Skander Ben Mansour: "[fw-wiz] Linux Firewall Distributions - Summary"

    Relevant Pages

    • Re: Open up ssh for remote access on PIX 501
      ... > Can you please tell me why I can't connect via ssh on this config since ... > fixup protocol dns maximum-length 512 ... > timeout xlate 0:05:00 ... > isakmp policy 20 authentication pre-share ...
      (comp.dcom.sys.cisco)
    • Re: Object-group help on PIX 501
      ... Open up ssh for remote access on PIX 501 ... > fixup protocol dns maximum-length 512 ... > timeout xlate 0:05:00 ... > isakmp policy 20 authentication pre-share ...
      (comp.dcom.sys.cisco)
    • Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem
      ... > fixup protocol dns maximum-length 512 ... > pdm location europa 255.255.255.255 inside ... > static tcp interface https europa https netmask ... > static tcp interface ssh europa ssh netmask ...
      (Firewall-Wizards)
    • Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem
      ... > fixup protocol dns maximum-length 512 ... > pdm location europa 255.255.255.255 inside ... > static tcp interface https europa https netmask ... > static tcp interface ssh europa ssh netmask ...
      (Firewall-Wizards)
    • Re: PIX 704 Connat pass traffix
      ... Unless you know PIX OS inside and out you should refrain ... > timeout xlate 3:00:00 ... > dhcpd address 10.5.1.50-10.5.1.60 inside ... > fixup protocol dns maximum-length 512 ...
      (comp.dcom.sys.cisco)