Single public IP and Port Forward 1

[nloecke]

Hey all I have worked with the PIXes for quite a while, but never quite like this.
I have a PIX 506 and have a single public IP address assigned by PPPOE. The DSL Modem is in Bridge mode and the PIX is connecting to the internet like it's supposed to. This setup is similar to the situation in thread35-1218772 but we have about 20 stations and one server that needs all the ports.
Everyone can get to the internet but it appears none of the ports are coming through. Here's the majority of the config.

[tt]PIX Version 6.3(4)[/tt]
<snip>
[tt]fixup protocol dns maximum-length 65535[/tt]
<snip>
[tt]access-list inbound permit tcp any host 192.168.111.250 eq 3389
access-list inbound permit tcp any host 192.168.111.250 eq smtp
access-list inbound permit tcp any host 192.168.111.250 eq domain
access-list inbound permit tcp any host 192.168.111.250 eq www
access-list inbound permit tcp any host 192.168.111.250 eq 135
access-list inbound permit tcp any host 192.168.111.250 eq 445
access-list inbound permit tcp any host 192.168.111.250 eq 3268
access-list inbound permit tcp any host 192.168.111.250 eq 4125
access-list inbound permit tcp any host 192.168.111.250 range 4900 4903
access-list inbound permit tcp any host 192.168.111.250 eq 88
access-list inbound permit tcp any host 192.168.111.250 eq ldap
access-list inbound permit udp any host 192.168.111.250 eq domain
access-list inbound permit udp any host 192.168.111.250 eq 88
access-list inbound permit udp any host 192.168.111.250 eq 389
access-list inbound permit udp any host 192.168.111.250 eq ntp[/tt]
<snip>
[tt]ip address outside pppoe setroute
ip address inside 192.168.111.1 255.255.255.0[/tt]
<snip>
[tt]global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside[/tt]
<snip>
[tt]vpdn group INTERNET request dialout pppoe
vpdn group INTERNET localname blah
vpdn group INTERNET ppp authentication mschap
vpdn username blah password *********[/tt]
<snip>

I first set the ports up like I usually do when I have a range of public IP addresses using this:

[tt]static (inside,outside) PUBLIC-IP PRIVATE-IP netmask 255.255.255.255
conduit permit tcp host PUBLIC-IP eq 3389 any[/tt]

The problem there is that since I was forcing the only public IP to map to the private IP of the server, I could only get on the internet from the server. The stations were down!! So I took that out.

Any help would be greatly appreciated.
Thanks

<<Witty Signature>>

 

[brianinms]

It should be

static (inside,outside) tcp interface XXXX 192.168.111.250 XXX netmask 255.255.255.255


Where XXXX is the port number.


The Acl should be

access-list inbound permit tcp any interface outside eq 3389
access-list inbound permit tcp any interface outside eq smtp
access-list inbound permit tcp any interface outside eq domain
access-list inbound permit tcp any interface outside eq www
access-list inbound permit tcp any interface outside eq 135
access-list inbound permit tcp any interface outside eq 445
access-list inbound permit tcp any interface outside eq 3268
access-list inbound permit tcp any interface outside eq 4125
access-list inbound permit tcp any interface outside range 4900 4903
access-list inbound permit tcp any interface outside eq 88
access-list inbound permit tcp any interface outside eq ldap
access-list inbound permit udp any interface outside eq domain
access-list inbound permit udp any interface outside eq 88
access-list inbound permit udp any interface outside eq 389
access-list inbound permit udp any interface outside eq ntp

 

[nloecke]

Thanks for your reply Brian.
What about the rest of the stations? Does the PIX allow the other stations out since it defines a one-to-one NAT between the specified private and only public IP address?

That is why I removed the static (inside,outside) line in the first place, but I wasn't using an ACL at the time.


<<Witty Signature>>

 

[brianinms]

If you only have 1 external ip address, then you can only forward a certain port from that ip to the port of an inside ip address. You cant forward port 3389 from the outside to multiple inside hosts.

 

[nloecke]

I only want the ports to go to the server at 192.168.111.250.
I was referring to the static mapping command. When I had it set that way earlier, the server was the only machine that could get to the internet.

<<Witty Signature>>

 

[brianinms]

Aight, thats because your static was wrong. If you look at my example I configured its the proper way.

 

[nloecke]

Brian - Thanks again for giving me a hand.
If I define the ports with the static command, what good does the ACL do?
Example 3389, RDP. If I enter this, as you suggest:
static (inside,outside) tcp interface 3389 192.168.111.250 3389 netmask 255.255.255.255
and do it for every port I need open, what good does the ACL do?
It almost appears that in your ACL config, we are opening the ports to come inbound, but don't specify where they should go.
I will try it with no ACL and all of the ports specified for the server whti the static command.

Also, can I use static (inside,outside) tcp interface 3389 host 192.168.111.250 3389 instead?


Thanks

<<Witty Signature>>

 

[nloecke]

Well I got the thing working for the most part.
I used Brian's config recommendation and successfully opened the ports to the server.
I realized that when used this way, the static command truly forwards the port to the specified internal IP address, and the ACL is what allows them in from the outside.
So here is my current config. You will see extra ports open, because we are now having problems getting external Outlook Express clients to connect via POP3 and send email out through the server.

[tt]
no fixup protocol smtp 25
<snip>
access-list inbound permit tcp any interface outside eq 3389
access-list inbound permit tcp any interface outside eq smtp
access-list inbound permit tcp any interface outside eq domain
access-list inbound permit tcp any interface outside eq www
access-list inbound permit tcp any interface outside eq 135
access-list inbound permit tcp any interface outside eq 445
access-list inbound permit tcp any interface outside eq 3268
access-list inbound permit tcp any interface outside eq 4125
access-list inbound permit tcp any interface outside range 4900 4903
access-list inbound permit tcp any interface outside eq 88
access-list inbound permit tcp any interface outside eq ldap
access-list inbound permit udp any interface outside eq domain
access-list inbound permit udp any interface outside eq 88
access-list inbound permit udp any interface outside eq 389
access-list inbound permit udp any interface outside eq ntp
access-list inbound permit tcp any interface outside eq pop3
access-list inbound permit tcp any interface outside eq ident
access-list inbound permit udp any interface outside eq 113
access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq imap4
access-list inbound permit tcp any interface outside eq 993
<snip>
static (inside,outside) tcp interface 3389 192.168.111.250 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.111.250 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface domain 192.168.111.250 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp interface

http://www 192.168.111.250

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp interface 135 192.168.111.250 135 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 445 192.168.111.250 445 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3268 192.168.111.250 3268 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 192.168.111.250 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4900 192.168.111.250 4900 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4901 192.168.111.250 4901 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4902 192.168.111.250 4902 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4903 192.168.111.250 4903 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 88 192.168.111.250 88 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ldap 192.168.111.250 ldap netmask 255.255.255.255 0 0
static (inside,outside) udp interface 88 192.168.111.250 88 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 389 192.168.111.250 389 netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 192.168.111.250 domain netmask 255.255.255.255 0 0
static (inside,outside) udp interface ntp 192.168.111.250 ntp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.111.250 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ident 192.168.111.250 ident netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 192.168.111.250 imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.111.250 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 993 192.168.111.250 993 netmask 255.255.255.255 0 0
access-group inbound in interface outside[/tt]

Like I said, the port forwarding works, but we are unable to allow external POP3 users to send email to internet domains. I.E Relay through the server.
Any help on this would be greatly appreciated.
Thanks again!

<<Witty Signature>>

 

[nloecke]

OK we figured out the SMTP problem, finally have a chance to finish the thread. SMTP authentication will not allow special characters in the password. At least it doesn't allow the asterisk...
That was the problem there.

Thanks again

<<Witty Signature>>