Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Please Help Verify Settings on PIX 501 for Port Forwarding

Status
Not open for further replies.
emuldoon66

emuldoon66

Programmer
Nov 1, 2004
18
0
0
US
Hello all,

I need to remotely access this cutomer's newly installed telephone PBX via the web. The management program communicates over ports 5000, 5002, & 5003 using TCP.This PIX 501 was already in place when we installed the system, but the customer no longer has IT support for it, so I inherited the task of changing the config to suit the need. I have pasted the running config as a reference for anyone willing to help. My additions are pretty obvious, I think. access-list entries with ports 5000,5002&5003 as well as static entries for the same. I blanked out sensitive info throughout the text. The WAN IP is xxx.xxx.xxx.xxx and the LAN IP is yyy.yyy.yyy.[host]

Thanks a ton in advance.

Written by ########## at 08:33:45.639 UTC Tue Apr 15 2008
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***************** encrypted
passwd ******************* encrypted
hostname allendale-pix
domain-name @@@@@@@@@@@@@@.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_open permit ip any any
access-list acl_in permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list acl_in permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list acl_in permit tcp any host xxx.xxx.xxx.xxx eq pop3
access-list acl_in permit tcp any host xxx.xxx.xxx.xxx eq www
access-list acl_in permit tcp any host xxx.xxx.xxx.xxx eq pcanywhere-data
access-list acl_in permit udp any host xxx.xxx.xxx.xxx eq pcanywhere-status
access-list acl_in permit tcp any host xxx.xxx.xxx.xxx eq 5633
access-list acl_in permit udp any host xxx.xxx.xxx.xxx eq 5634
access-list acl_in permit tcp any host xxx.xxx.xxx.xxx eq 5200
access-list acl_in permit tcp any host xxx.xxx.xxx.xxx eq 5000
access-list acl_in permit tcp any host xxx.xxx.xxx.xxx eq 5003
access-list acl_out permit ip host yyy.yyy.yyy.2 any
access-list acl_out permit ip host yyy.yyy.yyy.3 any
access-list acl_out deny ip any any
access-list inside_outside deny ip any 66.150.244.0 255.255.255.0
access-list inside_outside deny ip any host 216.109.116.190
access-list inside_outside deny ip any host 216.251.105.120
access-list inside_outside deny ip any host 192.135.191.3
access-list inside_outside deny ip any 207.68.0.0 255.255.0.0
access-list inside_outside deny ip any host 192.135.191.1
access-list inside_outside deny ip any host 216.251.100.2
access-list inside_outside deny ip any host 216.251.100.1
access-list inside_outside deny tcp any any eq 1503
access-list inside_outside deny tcp any any eq 1863
access-list inside_outside deny tcp any any eq 6891
access-list inside_outside deny tcp any any eq 6892
access-list inside_outside deny tcp any any eq 6893
access-list inside_outside deny tcp any any eq 6894
access-list inside_outside deny tcp any any eq 6895
access-list inside_outside deny tcp any any eq 6896
access-list inside_outside deny tcp any any eq 6897
access-list inside_outside deny tcp any any eq 6898
access-list inside_outside deny tcp any any eq 6899
access-list inside_outside deny tcp any any eq 5001
access-list inside_outside deny tcp any any eq 5002
access-list inside_outside deny tcp any any eq 5004
access-list inside_outside deny tcp any any eq 5005
access-list inside_outside deny tcp any any eq 5006
access-list inside_outside deny tcp any any eq 5007
access-list inside_outside deny tcp any any eq 5008
access-list inside_outside deny tcp any any eq 5009
access-list inside_outside deny tcp any any eq 5010
access-list inside_outside deny tcp any any eq 5050
access-list inside_outside deny tcp any any eq 5100
access-list inside_outside deny tcp any any eq aol
access-list inside_outside deny tcp any any eq 5191
access-list inside_outside deny tcp any any eq 5192
access-list inside_outside deny tcp any any eq 5193
access-list inside_outside deny udp any any eq 5001
access-list inside_outside deny udp any any eq 5002
access-list inside_outside deny udp any any eq 5004
access-list inside_outside deny udp any any eq 5005
access-list inside_outside deny udp any any eq 5006
access-list inside_outside deny udp any any eq 5007
access-list inside_outside deny udp any any eq 5008
access-list inside_outside deny udp any any eq 5009
access-list inside_outside deny udp any any eq 5010
access-list inside_outside deny udp any any eq 5050
access-list inside_outside deny udp any any eq 5100
access-list inside_outside deny udp any any eq 5190
access-list inside_outside deny udp any any eq 5191
access-list inside_outside deny udp any any eq 5192
access-list inside_outside deny udp any any eq 5193
access-list inside_outside deny udp any any eq 1503
access-list inside_outside deny udp any any eq 1863
access-list inside_outside permit ip any any
access-list inside_outside permit tcp any any eq smtp
access-list inside_outside permit tcp any host yyy.yyy.yyy.20 eq 5000
access-list inside_outside permit tcp any host yyy.yyy.yyy.20 eq 5003
access-list inside_outside permit tcp any host yyy.yyy.yyy.20 eq 5200
access-list acl-out permit tcp host yyy.yyy.yyy.20 any
access-list acl-out permit tcp host yyy.yyy.yyy.21 any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside yyy.yyy.yyy.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location yyy.yyy.yyy.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 216.109.206.114 255.255.255.255 outside
pdm location yyy.yyy.yyy.2 255.255.255.255 inside
pdm location yyy.yyy.yyy.3 255.255.255.255 inside
pdm location yyy.yyy.yyy.116 255.255.255.255 inside
pdm location 192.168.17.0 255.255.255.0 outside
pdm location 24.247.255.159 255.255.255.255 outside
pdm location 192.135.191.1 255.255.255.255 outside
pdm location 192.135.191.3 255.255.255.255 outside
pdm location 216.109.116.190 255.255.255.255 outside
pdm location 216.251.100.1 255.255.255.255 outside
pdm location 216.251.100.2 255.255.255.255 outside
pdm location 216.251.105.120 255.255.255.255 outside
pdm location 207.68.0.0 255.255.0.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface smtp yyy.yyy.yyy.2 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pcanywhere-data yyy.yyy.yyy.3 pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5632 yyy.yyy.yyy.3 5632 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5633 yyy.yyy.yyy.116 5633 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5634 yyy.yyy.yyy.116 5634 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 yyy.yyy.yyy.3 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5000 yyy.yyy.yyy.20 5000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5003 yyy.yyy.yyy.20 5003 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5200 yyy.yyy.yyy.20 5200 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface telnet yyy.yyy.yyy.21 telnet netmask 255.255.255.255 0 0
access-group acl_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 216.109.206.114 255.255.255.255 outside
http 24.247.255.159 255.255.255.255 outside
http yyy.yyy.yyy.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map toCoopersville 20 ipsec-isakmp
crypto map toCoopersville 20 set peer 206.150.113.198
crypto map toCoopersville 20 set transform-set strong
Incomplete
crypto map toCoopersville interface outside
isakmp enable outside
isakmp key ******** address 206.150.113.198 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 76.236.171.35 255.255.255.255 outside
ssh yyy.yyy.yyy.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 20
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname ###########
vpdn group pppoex ppp authentication pap
vpdn username ############## password ********
username ######## password *****************encrypted privilege 15
username ######## password ***************** encrypted privilege 15
terminal width 80
Cryptochecksum:**************************************

allendale-pix(config)#
 
Sort by date Sort by votes
All set!! No need to reply. Thanks for looking, though.
 
Upvote 0 Downvote
did you have to save the config and reboot the pix? I used to always forget to reboot lol
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
126
XLNTech1
XLNTech1
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
148
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
150
Johnkite
Johnkite
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
56
PauS0n
PauS0n
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
163
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top