Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Opening specific ports inside to fixed outside IP

Status
Not open for further replies.
themikehyde

themikehyde

IS-IT--Management
Feb 20, 2003
61
US
Hello everyone,
I am running a Pix 515E with 6.2 OS. We use Quantum SnapServers for our file stsorage. We have two snap servers to allow replication using Snap Appliance Server-to-Server synchronization software. It works great inhouse. I have relocated the second Disk server offsite. The offsite location is a Business class cable modem, providing a static IP Address. I have setup a Linksys Cable router, and setup the disk server as a dmz with public access to the necessary ports as noted by Snap.

Snap Appliance states that the Server-to-Server software uses TCP port 9090, 9092 & 9093 and UDP 4466. I believe I have modified my config correctly, but the offsite snap server says it is unable to establish communication with the internal server. I did a clear xlate after modifcations.

Can anyone help??

Thanks,
Mike



xxx.xxx.xxx. Our Public IP Addresses
yyy.yyy.yyy.yyy The public IP address for the remote site
192.168.1.15 The private IP address of the internal
server.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 dmz1 security10
enable passwordxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxxx
hostname PIX515E
domain-name maxuse.com
clock timezone EST -5
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_in permit icmp any any
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host xxx.xxx.xxx.230 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.210 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.199 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.200 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.202 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.200 eq ftp
access-list acl_out permit tcp any host xxx.xxx.xxx.203 eq ftp
access-list acl_out permit tcp any host xxx.xxx.xxx.201 eq ftp

*****************The following is what I added. *****************
access-list acl_out permit tcp host yyy.yyy.yyy.yyy host xxx.xxx.xxx.240 eq 8080
access-list acl_out permit tcp host yyy.yyy.yyy.yyy host xxx.xxx.xxx.240 eq 9090
access-list acl_out permit tcp host yyy.yyy.yyy.yyy host xxx.xxx.xxx.240 eq 9092
access-list acl_out permit tcp host yyy.yyy.yyy.yyy host xxx.xxx.xxx.240 eq 9093
access-list acl_out permit udp host yyy.yyy.yyy.yyy host xxx.xxx.xxx.240 eq 4466
access-list acl_dmz1 permit icmp any any
access-list acl_dmz1 permit tcp host xxx.xxx.xxx.230 any eq www
access-list acl_dmz1 permit tcp host xxx.xxx.xxx.210 any eq www
access-list acl_dmz1 permit tcp host xxx.xxx.xxx.199 any eq www
access-list acl_dmz1 permit tcp host xxx.xxx.xxx.200 any eq www
access-list acl_dmz1 permit tcp host xxx.xxx.xxx.202 any eq www
access-list acl_dmz1 permit tcp host xxx.xxx.xxx.200 any eq ftp
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list EDSVPN permit tcp any any eq 12106
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside 192.168.1.20
logging host inside 0.0.0.4
logging host inside 0.0.0.3
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 100full
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu dmz1 1500
ip address outside xxx.xxx.xxx.250 255.255.255.252
ip address inside 192.168.1.1 255.255.248.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address dmz1 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.10.1-192.168.10.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address dmz1 0.0.0.0
pdm location 192.169.1.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.50 255.255.255.255 inside
pdm location 192.168.1.51 255.255.255.255 inside
pdm location 192.169.1.4 255.255.255.255 dmz1
pdm location 192.169.1.5 255.255.255.255 dmz1
pdm location xxx.xxx.xxx.210 255.255.255.255 dmz1
pdm location xxx.xxx.xxx.230 255.255.255.255 dmz1
pdm location 192.168.100.4 255.255.255.255 dmz1
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz1) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) xxx.xxx.xxx.199 192.168.100.2 255.255.255.255
alias (inside) xxx.xxx.xxx.200 192.168.100.4 255.255.255.255
alias (inside) xxx.xxx.xxx.202 192.168.100.3 255.255.255.255
alias (inside) xxx.xxx.xxx.230 192.168.100.50 255.255.255.255
alias (inside) xxx.xxx.xxx.201 192.168.100.100 255.255.255.255
alias (inside) xxx.xxx.xxx.203 192.168.100.6 255.255.255.255
alias (inside) xxx.xxx.xxx.210 192.168.100.5 255.255.255.255
static (dmz1,outside) xxx.xxx.xxx.199 192.168.100.2 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.200 192.168.100.4 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.202 192.168.100.3 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.230 192.168.100.50 netmask 255.255.255.255 0 0

static (dmz1,outside) xxx.xxx.xxx.201 192.168.100.100 netmask 255.255.255.255 0 0

static (inside,dmz1) 192.168.2.41 192.168.2.41 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.203 192.168.100.6 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.210 192.168.100.5 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.240 192.168.1.15 netmask 255.255.255.255 0 0

access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193 1
timeout xlate 3:00:00
timeout conn 9:00:00 half-closed 0:10:00 udp 0:10:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.51 255.255.255.255 inside
http 192.168.1.50 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map mydynmap 10 set transform-set myset
crypto map newmap 10 ipsec-isakmp dynamic mydynmap
crypto map newmap client configuration address initiate
crypto map newmap client configuration address respond
crypto map newmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 192.168.1.20
vpngroup vpn3000 wins-server 192.168.1.20
vpngroup vpn3000 default-domain hyperion
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet timeout 5
dhcpd address 192.168.2.1-192.168.2.254 inside
dhcpd dns 198.6.1.1 198.6.1.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:8a504d05d029b3ef1dc1929a4a2b4825
: end
[OK]
PIX515E(config)#
 
Sort by date Sort by votes
HI.

> logging host inside 0.0.0.4
Not related to your question, but it seems like a typo here.

Anyway - I would go and check the syslog messages to get more info. A quick way to filter is to use Xnix "grep" or MS "find" utility.

You can also add buffer logging at level 4 to see just denied traffic.

In addition to the pix configuration, you should also check the configuration of the Linksys cable router, and the SnapServers.
Do the SnapServer look for the other one by IP or hostname?


Yizhar Hurwitz
 
Upvote 0 Downvote
Thanks Yizhar,
I guess I am wondering if I have setup the static and access list ok? I belive the linksys router is setup fine.

Thanks,
Mike
 
Upvote 0 Downvote
HI.

> I guess I am wondering if I have setup the static and access list ok?
I did not find problems with them, but I can't see the whole picture.

If you add "logging buffered 4" to your configuration, it can also help you pinpoint the problems because it will show you only denied traffic blocked by the pix.
A rule of thumb - if level 4 does not show info related to your attempts - look for problems with other devices configuration.

Yizhar


Yizhar Hurwitz
 
Upvote 0 Downvote
Hey Mike,
did you get this resolved yet? I have the Linksys at home and was wondering if you had correctly defined the ports on the linksys to forward packets for those snap ports to the inside address of your snap server at the linksys location.
I looked at your pix cong too and dont see any obviously problems with it.
K
 
Upvote 0 Downvote
K,
I am still working on this. The snap server behind the Linksys appears to be trying to connect for the s2s, but says it cannot find the host (Snap behind the PIX). I do not see anything in the PIX log, so I am guessing its still on the linksys side. Are you trying to do the same thing?
 
Upvote 0 Downvote
Hey Mike,
I have my linksys configured to accept certain ports for an aplicaiton and redirect those ports to a file server i have at home. Try telnetting to one of the translated address of the snap sevrer on the pix for giggles and check oyur pix log. Since you are not allowing telent to that address you should see an info message in the pix log. That would verify that the snap behind the pix is at least accessable. NOw which snap originates the connection, the one behind the linksys or the one behind the pix?
Keith
 
Upvote 0 Downvote
Keith,
The snap server behind the linksys is requesting the connection to the snapserver buhind the PIX.
Thanks,
Mike
 
Upvote 0 Downvote
Hello everyone,
This finally appears to be working fine. If anyone needs info on doing the same,let me know.
Thanks,
Mike
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
771
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
641
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
579
XLNTech1
XLNTech1
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
166
kythri
kythri
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
178
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top