Cisco PIX 501 and port forwarding

[tdg]

Ok you Cisco gurus, I have a PIX 501 and am trying to open up a few ports for the outside to get inside and am having no luck so far with it working. I need to open up ports 400 and 1400 and send that traffic to 192.168.100.2 with the maching port numbers. The outside interface public IP address is 68.103.139.xxx, and is assigned by DHCP. I've tried the static route and so far no luck. Right now I've reset the PIX back to the factory default config trying to start over on the config. Any help would be great

 

[BobSutan]

Set the static command with the interface and protocol and don't forget to create an ACL permitting traffic to enter the external interface.

I'll try to post the commands later if I get the chance. Until then try this.

 

[tdg]

Thanks Bob. I tried using that example and it seems the problem I'm having is something about overlapping addresses or something, I guess since I'm trying to add a route of a interface thats already setup? Also unsure of what to do for the fixup protocol command, in that example they use ftp, but the program being used will be directconnect which is udp, i have no idea what to use there either. Any ideas?

 

[Malk-a-mite]

Also unsure of what to do for the fixup protocol command, in that example they use ftp, but the program being used will be directconnect which is udp, i have no idea what to use there either. Any ideas?

---------
Limited pix knowledge follows:
---------
FTP just translates into tcp port 21, www -> 80, domain is udp 53, and on, and on.

If you know the port number you *should* be able to just put that in.
----------
static (inside,outside) udp 68.103.139.xxx 400 192.168.100.2 400 netmask 255.255.255.255 0 0
static (inside,outside) udp 68.103.139.xxx 1400 192.168.100.2 1400 netmask 255.255.255.255 0 0
-----------

*sits and waits for someone with more knowledge to make corrections*

 

[BobSutan]

By no means is the following a complete list of commands, but it should get you started.

nameif ethernet0 outside 0
nameif ethernet1 inside 100
interface ethernet0 auto
interface ethernet1 auto
ip address outside 68.103.139.xxx 255.255.255.xxx (you'll get this from your ISP, [url=http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172790.html#wp1053858]here's directions for enabling DHCP client support on the PIX[/url])
ip address inside 192.168.100.1 255.255.255.0

nat (inside) 1 192.168.100.0 255.255.255.0
global (outside) 1 interface
static (inside,outside) tcp  interface 400  192.168.100.2 400 netmask 255.255.255.255 0 0
static (inside,outside) tcp  interface 1400  192.168.100.2 1400 netmask 255.255.255.255 0 0

access-list acl_outside permit tcp any host 192.168.100.2 eq 400
access-list acl_outside permit tcp any host 192.168.100.2 eq 1400
**Keep permiting protocols that you want to allow to come into your network--FTP, SMTP, WWW, etc**
access-group acl_outside in interface outside

 

[LonerVamp]

What annoys me is I had all that written last night for him, but accidentally clicked outside the text box, hit back, and was sent back to the login screen...as I fumbled for my laptop mouse, the "YOU HAVE LOGGED IN!" screen forwarded me happily back to an empty screen.

I left swearing...

...but I am glad that his question is getting properly answered.

 

[BobSutan]

This is from a PM exchange I had earlier. I'm only posting this because it may be useful for others...

Originally Posted by tdg
But I do have a question I know you can answer, what exactly is PAT it laymens terms? I can't find a good explaination anywhere including my PIX book or online.

In order to understand PAT, you need to know the basics of NAT. For starters there are 65535 ports available for TCP services, and the same for UDP services. With NAT, an address on the inside of the PIX is translated, or aliased, with an address associated with the network on the outside of the PIX. This is a one for one mapping. All traffic destined for the outside aliased address is transfered to the associated address on the inside network of teh PIX.

For example,host Bob on teh inside network has the ip address 192.168.1.55 255.255.255.255. The PIX creates a static translation to Bob on the outside of the PIX with the address 22.5.76.55 (the PIX's outside interface is on the same network because the company was given a class C to use as they wish). So, someone on the internet can talk with Bob, even though Bob is on the inside network. This can happen because all traffic sent to 22.5.76.55 is sent along to 192.168.1.55.

The command to do this is:
static (inside, outside) 22.5.76.55 192.168.1.55 netmask 255.255.255.255


With PAT this isn't the case and only services, or ports, are forwarded to internal hosts, which is where the term PAT comes from: Port Address Translation.

For example, you only have one one IP address for teh outside network, which you assign to the outside interface. Now all traffic of a particual type can be sent to this interface and forwarded on to an internal host. Say Bob is 192.168.1.55 on the inside network and the outside interface is 22.5.76.1. If Bob is a CS server, in order for the clients on the internet to play on Bob's CS server they need to be able to hit the server with the right port (something like 27000). So what you do is "forward" port 27000 from the outside interface to Bob's CS server. You do that with the modified static command:

static (inside,outside) tcp interface 27000 Bob 27000 netmask 255.255.255.255.

In this command, "tcp" is the protocol, the first "27000" is the port being received on the interface, and the second "27000" is the port the service is being fowarded to on Bob.

I should also note that with port forwarding, you can also do port redirection. For example, say you have mulitple FTP servers you would like users to be able to use. Since you can only foward one service to a destination, you must redirect ports (or you could run the FTP server on another port). For example, say the FTP servers are all listening on TCP/21. Then you would need redirection after the first forwarding statement. Here are the commands for that:
static (inside,outside) tcp interface 21 bob 21 netmask 255.255.255.255 <--this is standard forwarding
static (inside,outside) tcp interface 25021 bob1 21 netmask 255.255.255.255 <--this is redirection (from 25021 to 21)
static (inside,outside) tcp interface 26021 bob2 21 netmask 255.255.255.255 <--this is redirection (from 26021 to 21)
static (inside,outside) tcp interface 27021 bob3 21 netmask 255.255.255.255 <--this is redirection (from 27021 to 21)

 

[AuxNuke]

The big question is, how in the world do you copy this line:

static (inside,outside) tcp interface 27021 bob3 21 netmask 255.255.255.255

into the config file? Is there a command to do so? Do you have to copy the entire config file again? What about if you are overwriting a previous forward? eg. A server moves from the IPxxx.xxx.xxx.1 to xxx.xxx.xxx.2 Can you overwrite to old entry?

Sorry for all of the questions and thank you for the help!
~Aux

 

[BobSutan]

Highlight the text and right click/copy. If using hyperterminal, right click in the terminal window and select Paste to Host. If using a command prompt, a right click should paste in the copied text.

 

[tdg]

The big question is, how in the world do you copy this line:

static (inside,outside) tcp interface 27021 bob3 21 netmask 255.255.255.255

into the config file? Is there a command to do so? Do you have to copy the entire config file again? What about if you are overwriting a previous forward? eg. A server moves from the IPxxx.xxx.xxx.1 to xxx.xxx.xxx.2 Can you overwrite to old entry?

Sorry for all of the questions and thank you for the help!
~Aux

What I've been doing with my PIX is using the PDM to enter commands, theres a option somewhere up in the file menu to manually enter commands. One thing I did notice is theres a option to paste multiple commands and send them to the PIX at once... don't use it, at least with the port forwarding/static commands, for some reason it would always take the first command and then reject the second one for some reason, so do it one line at a time.

And as the original poster of this thread, I've since gotten the hang of forwarding and have changed machines/IP's, and simply entered the command again with the new IP and it just changed the original entry, as long as it was the same port being forwarded. At least the PDM did this, I'd assume if configuring it via telnet it'd do the same thing.

 

[Kaos]

This is from a PM exchange I had earlier. I'm only posting this because it may be useful for others...



I should also note that with port forwarding, you can also do port redirection. For example, say you have mulitple FTP servers you would like users to be able to use. Since you can only foward one service to a destination, you must redirect ports (or you could run the FTP server on another port). For example, say the FTP servers are all listening on TCP/21. Then you would need redirection after the first forwarding statement. Here are the commands for that:
static (inside,outside) tcp interface 21 bob 21 netmask 255.255.255.255 <--this is standard forwarding
static (inside,outside) tcp interface 25021 bob1 21 netmask 255.255.255.255 <--this is redirection (from 25021 to 21)
static (inside,outside) tcp interface 26021 bob2 21 netmask 255.255.255.255 <--this is redirection (from 26021 to 21)
static (inside,outside) tcp interface 27021 bob3 21 netmask 255.255.255.255 <--this is redirection (from 27021 to 21)

Small question about this, how does the ftp client know which ftp server to hit if you only have one public(wan) ip address? will the client have to configure something to accomplish this?

 

[BobSutan]

You'll need to manually specify the port for the corresponding server. For example, say the pix is setup for port forwarding 21 to FTP server alpha, and is redirecting port 20021 to FTP server beta. Both FTP servers are listening on TCP port 21 as normal. For the external client to connect to Alpha, it just needs to connect to the PIX's outside IP address as usual (with TCP port 21). However, in order for the external client to reach Beta, it will need to connect to the PIX's outside interface on TCP port 20021. For example, IIRC, Smart FTP has a small window in the upper right corner of the app that allowed you to specify that port number you want to connect on. As always, check your client's documentation for how to change the destination port number.