2
PIX 501 "Port forwarding" - Hilfe
So Jungs, endlich kam ich mal wieder dazu alles aus der ecke zu holn :P
ollen dienstreisen.. aber nun gut..
hab nochma alle in ruhe angehen lassen und mitlerweile hab ich auch internetzugang und
alles läuft ganz gut...bis auf die "port forwardings" bzw Regeln dafür klappen bei mir nicht.
Ich will das bestimme ports, wie Webserver,ftp, etc.. auf eine bestimme Adresse hindürfen..
vielleicht habt ihr ja n tip für mich..(am besten was man im pdm machen kann :D)
Pix: 192.168.0.1
Gerät wos hin soll: 192.168.0.2
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
no names
object-group service Emuleudp udp
description Emule udp
port-object range 4665 4665
port-object range 4672 4672
object-group service Emule tcp-udp
description TCP UDP
port-object range 4661 4662
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 any
access-list inside_access_in deny udp any any eq netbios-dgm
access-list inside_access_in deny udp any any eq netbios-ns
access-list inside_access_in deny udp any any eq 135
access-list inside_access_in deny udp any any eq 445
access-list inside_access_in deny tcp any any eq 445
access-list inside_access_in permit ip any any
access-list inside_access_in remark Emule TCP
access-list inside_access_in permit tcp any eq 4661 any eq 4661
access-list inside_access_in remark Emule TCP
access-list inside_access_in permit tcp any eq 4662 any eq 4662
access-list inside_access_in remark Emule UDP
access-list inside_access_in permit udp any eq 4665 any eq 4665
access-list inside_access_in remark Emule UDP
access-list inside_access_in permit udp any eq 4672 any eq 4672
access-list inside_access_in remark Webserver
access-list inside_access_in permit tcp any eq www any eq www
access-list inside_access_in remark FTP
access-list inside_access_in permit tcp any eq ftp any eq ftp
access-list outside_access_in remark Webserver
access-list outside_access_in permit tcp any eq www any eq www
access-list outside_access_in remark Emule TCP
access-list outside_access_in permit tcp any eq 4662 any eq 4662
pager lines 24
logging on
logging timestamp
logging console warnings
logging monitor warnings
logging buffered debugging
logging trap warnings
logging queue 0
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.0.2 192.168.0.1 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set
isakmp enable outside
isakmp identity address
telnet 192.168.0.1 255.255.255.255 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname #####
vpdn group pppoe_group ppp authentication pap
vpdn username ##### password
dhcpd address 192.168.0.3-192.168.0.25 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username admin *** encrypted privilege 15
terminal width 80
Cryptochecksum:dbc8ff98add018cf6afe3b5edb6701d2
pixfirewall#
ollen dienstreisen.. aber nun gut..
hab nochma alle in ruhe angehen lassen und mitlerweile hab ich auch internetzugang und
alles läuft ganz gut...bis auf die "port forwardings" bzw Regeln dafür klappen bei mir nicht.
Ich will das bestimme ports, wie Webserver,ftp, etc.. auf eine bestimme Adresse hindürfen..
vielleicht habt ihr ja n tip für mich..(am besten was man im pdm machen kann :D)
Pix: 192.168.0.1
Gerät wos hin soll: 192.168.0.2
- Saved
- Written by admin at 17:15:43.379 CEST Wed Jan 18 2006
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
no names
object-group service Emuleudp udp
description Emule udp
port-object range 4665 4665
port-object range 4672 4672
object-group service Emule tcp-udp
description TCP UDP
port-object range 4661 4662
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 any
access-list inside_access_in deny udp any any eq netbios-dgm
access-list inside_access_in deny udp any any eq netbios-ns
access-list inside_access_in deny udp any any eq 135
access-list inside_access_in deny udp any any eq 445
access-list inside_access_in deny tcp any any eq 445
access-list inside_access_in permit ip any any
access-list inside_access_in remark Emule TCP
access-list inside_access_in permit tcp any eq 4661 any eq 4661
access-list inside_access_in remark Emule TCP
access-list inside_access_in permit tcp any eq 4662 any eq 4662
access-list inside_access_in remark Emule UDP
access-list inside_access_in permit udp any eq 4665 any eq 4665
access-list inside_access_in remark Emule UDP
access-list inside_access_in permit udp any eq 4672 any eq 4672
access-list inside_access_in remark Webserver
access-list inside_access_in permit tcp any eq www any eq www
access-list inside_access_in remark FTP
access-list inside_access_in permit tcp any eq ftp any eq ftp
access-list outside_access_in remark Webserver
access-list outside_access_in permit tcp any eq www any eq www
access-list outside_access_in remark Emule TCP
access-list outside_access_in permit tcp any eq 4662 any eq 4662
pager lines 24
logging on
logging timestamp
logging console warnings
logging monitor warnings
logging buffered debugging
logging trap warnings
logging queue 0
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.0.2 192.168.0.1 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set
isakmp enable outside
isakmp identity address
telnet 192.168.0.1 255.255.255.255 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname #####
vpdn group pppoe_group ppp authentication pap
vpdn username ##### password
dhcpd address 192.168.0.3-192.168.0.25 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username admin *** encrypted privilege 15
terminal width 80
Cryptochecksum:dbc8ff98add018cf6afe3b5edb6701d2
pixfirewall#
Share on Facebook
Share on Twitter
Share on Reddit
Share on LinkedinPlease also mark the comments that contributed to the solution of the article
Content-Key: 24149
Url: https://administrator.de/contentid/24149
Printed on: April 19, 2024 at 01:04 o'clock
2 Comments
Latest comment
Hi,
lesen ???????!!!!!!!!!!!!!!!!!!!!
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuratio ...
Gruß
Appel
lesen ???????!!!!!!!!!!!!!!!!!!!!
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuratio ...
Gruß
Appel
hab das nun mal gelesen und soweit ich das verstanden hab auch
angewendet...
aber das klappt nicht mit dem Ftp/webserver
hab mitlerweile locker 12 std mit dem teil verbracht und ohne erfolge macht
das ganze irgendwann keinen spaß mehr *grml*
vielleicht schaun sich ma die profis meine config an..
IX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname pixfirewall
domain-name ciscopix.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
no names
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in deny udp any any eq netbios-dgm
access-list inside_access_in deny udp any any eq netbios-ns
access-list inside_access_in deny udp any any eq 135
access-list inside_access_in deny udp any any eq 445
access-list inside_access_in deny tcp any any eq 445
access-list inside_access_in permit ip any any
access-list outside_accesss_in permit tcp any host 192.168.10.2 eq ftp-data
access-list outside_inbound_nat0_acl permit ip interface outside host 192.168.10.2
access-list outside_access_in permit tcp any host 192.168.10.2 eq ftp
access-list outside_access_in permit tcp any host 192.168.10.2 eq www
access-list outside_access_in permit tcp any host 192.168.10.2 eq ftp-data
pager lines 24
logging on
logging timestamp
logging console warnings
logging monitor warnings
logging buffered debugging
logging trap warnings
logging queue 0
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.10.2 255.255.255.255 inside
pdm location 192.168.10.2 255.255.255.255 outside
pdm location 192.168.10.9 255.255.255.255 inside
pdm location 192.168.10.7 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list outside_inbound_nat0_acl outside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp-data 192.168.10.2 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.10.2 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.10.2 www netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp enable outside
isakmp identity address
telnet 192.168.10.1 255.255.255.255 inside
telnet 192.168.10.2 255.255.255.255 inside
telnet timeout 5
ssh 80.228.110.19 255.255.255.255 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.10.7 255.255.255.255 inside
ssh 192.168.10.2 255.255.255.255 inside
ssh timeout 15
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname #######
vpdn group pppoe_group ppp authentication pap
vpdn username ##########@t-online.de password ####
dhcpd address 192.168.10.7-192.168.10.25 inside
dhcpd lease 72000
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username admin password #####encrypted privilege 15
terminal width 80
Cryptochecksum:1285437dfc370b1d598459e27165a678
: end
[OK]
angewendet...
aber das klappt nicht mit dem Ftp/webserver
hab mitlerweile locker 12 std mit dem teil verbracht und ohne erfolge macht
das ganze irgendwann keinen spaß mehr *grml*
vielleicht schaun sich ma die profis meine config an..
IX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname pixfirewall
domain-name ciscopix.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
no names
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in deny udp any any eq netbios-dgm
access-list inside_access_in deny udp any any eq netbios-ns
access-list inside_access_in deny udp any any eq 135
access-list inside_access_in deny udp any any eq 445
access-list inside_access_in deny tcp any any eq 445
access-list inside_access_in permit ip any any
access-list outside_accesss_in permit tcp any host 192.168.10.2 eq ftp-data
access-list outside_inbound_nat0_acl permit ip interface outside host 192.168.10.2
access-list outside_access_in permit tcp any host 192.168.10.2 eq ftp
access-list outside_access_in permit tcp any host 192.168.10.2 eq www
access-list outside_access_in permit tcp any host 192.168.10.2 eq ftp-data
pager lines 24
logging on
logging timestamp
logging console warnings
logging monitor warnings
logging buffered debugging
logging trap warnings
logging queue 0
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.10.2 255.255.255.255 inside
pdm location 192.168.10.2 255.255.255.255 outside
pdm location 192.168.10.9 255.255.255.255 inside
pdm location 192.168.10.7 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list outside_inbound_nat0_acl outside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp-data 192.168.10.2 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.10.2 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.10.2 www netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp enable outside
isakmp identity address
telnet 192.168.10.1 255.255.255.255 inside
telnet 192.168.10.2 255.255.255.255 inside
telnet timeout 5
ssh 80.228.110.19 255.255.255.255 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.10.7 255.255.255.255 inside
ssh 192.168.10.2 255.255.255.255 inside
ssh timeout 15
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname #######
vpdn group pppoe_group ppp authentication pap
vpdn username ##########@t-online.de password ####
dhcpd address 192.168.10.7-192.168.10.25 inside
dhcpd lease 72000
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username admin password #####encrypted privilege 15
terminal width 80
Cryptochecksum:1285437dfc370b1d598459e27165a678
: end
[OK]
