PIX VPN & Port forwarding

Hello!

I installed a version the most recent Pix 6.x and have a few questions. Is it possible to have several ipadresses on the external interface? I want to connect to/from ipadresses different rules. For example, www should point to internal ip of the server. Also a VPN solution should work.

IP outside the ISP must be aaa.bbb.ccc.82 and get VPN to work.

I now need to allow outside aaa.bbb.ccc.90 address to accept ISPS Web server. Is it possible to get outside interface to both aaa.bbb.ccc.82 and 90 address answar? If so, I think I can work on a config.

KR

Mattias

Mattias salvation,

If I am the IP aaa.bbb.ccc.82 is the physical IP address of the PIX and th aaa.bbb.ccc.90 of intellectual property should be an outside IP of a server behind the PIX.

In this case, you need only create a static entry in the PIX to meet these requests, like this (assuming that the outside and inside of the named interfaces 'outer' and 'inside' and inside the server IP is xx.yy.zz.90):

static (Inside, Outside) aaa.bbb.ccc.90 xx.yy.zz.90 netmask 255.255.255.255

Please let me know, otherwise it's the situation.

Kind regards

Roland

Tags: Cisco Security

Similar Questions

  • The ASA with crossed VPN Port forwarding

    Hello

    I worked on a question for a while and I have managed to track down the issue, but I don't know how to solve the problem.

    I have an ASA 5505 8.4 (7) running with a tunnel for incoming remote users anyconnect vpn. I also want to configure incoming Web server port forwarding.

    The question seems to be traversed rule which stops incoming port forwarding:

    NAT (outside, outside) NETWORK_OBJ_172.16.1.0_28 interface description dynamic source hairpin to natting users vpn on the external interface

    When I disable the port forwarding will work perfectly (according to tracer packet that is).

    I have attached the config to this post. I would appreciate any idea how to get the through VPN and the transfer to the incoming port working.

    The config has been condensed to remove unneed config.

    Thank you

    Hello

    What is the configuration commands, you use to put in place the static PAT (Port Forward)?

    The problem is most likely order of the NAT configurations such as configuring NAT above in the upper part of the NAT configurations.

    Configuring static PAT, that you could use to make it work would be

    the SERVER object network

    host

    service object WWW

    tcp source eq www service

    NAT (server, on the outside) of the interface to the static SERVER 1 source WWW WWW service

    The above assumes the source for the host interface is "Server" and the service that you want to PAT static TCP/80.

    Note that we add the number '1' in the 'nat' command. This will add at the top. The same should be done for any other static PAT you configure you want for these VPN Clients.

    Hope this helps

    -Jouni

  • vpn port forward?

    Hey everybody,

    Here's the situation, I have a sidewinder firewall right behind a Cisco 2811 router. The router has an external public IP address, so it offered a NAT overload (PAT). I want to allow users to connect to my network using a vpn ipsec to the firewall. Due to design issues, I can't put the firewall directly on the Internet. Now, here is my question I have to port before the router's ipsec vpn firewall? And now, the question of the great rookie if I need to port-forward how can I do this?

    Thanks for the help,

    Andrew

    Andrew,

    I don't know if the firewall supports forwarding port or how to do it, but you will need to redirect

    UDP 500 port

    ESP IP protocol

    UDP port 4500

    So, if it's a cisco device, you create a rule to forward ports above to the internal firewall of port forwarding.

    To do port forwarding in the router you do:

    IP nat inside source udp static x.x.x.x interface 500 500

    IP nat inside source udp static x.x.x.x interface 4500 500

    IP nat inside source static esp x.x.x.x interface

    Federico.

  • VPN site to Site with NAT and Port forwarding on a 871

    Hello

    Could someone please look at the config 871 router attached and tell me where I'm wrong!

    VPNs all work, work, BUT anyone trying to connect to a port that is sent through the VPN port forwarding fails.

    In the config attached Port 3389 (RDP) is sent to an internal server, if you connect to the external interface Internet connection is made and it works well, but if someone tries to connect to the IP address internal to that same server through VPN, it does not.

    We've added commands to stop working on the lines VPN NAT, but these do not seem to work.

    What Miss me?

    Thank you in advance and I will adjudicate all useful responses.

    It is a common problem. Yes you added controls to prevent NAT to work above the tunnel, but your static nat port to port 3389 takes precedence over the generic nat command, and there not all orders top to prevent it is nat would be above the tunnel.

    I wrote an example configuration for this some time, see here for more details:

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

    If all goes well, he explains everything. Note that it is for a general order static host, not a static port that you have, but the concept is exactly the same. Just add a statement roadmap on the end of your static command of the port, and this route map - will reference an ACL that denies are used when going up above the tunnel.

  • port forwarding TCP on pix 501

    can you tell me how to port forward or open tcp 21 and 1024-2774 for the end user of a backup system remotely via the pix Manager or regular here is a copy of my config thanks my apologies if this is a little wave building configuration...

    : Saved

    :

    6.2 (2) version PIX

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    activate the password

    pixfirewall hostname

    domain ciscopix.com

    fixup protocol ftp 21

    fixup protocol http 80

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol they 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol sip 5060

    fixup protocol 2000 skinny

    names of

    list of access allow-permit tcp any any eq www

    access list permits allow tcp everything any https eq

    list of access allow-permit udp any any eq isakmp

    list of access allow-permit udp any any eq field

    list of access allow-permit tcp any any eq telnet

    list of access allow-permit tcp any any eq ftp

    access list permit to allow icmp a whole

    access list allow allow an entire esp

    list of access allow-permit tcp any any eq ssh

    list of access allow-permit tcp any any eq - ica citrix

    list of access allow-permit tcp any any eq pop3

    list of access allow-permit tcp any any eq smtp

    list of access allow-permit tcp any any eq aol

    access list, allow-in allow an entire esp

    access list allow component snap permit udp any any eq isakmp

    access list, allow-in allow icmp a whole

    access list allow component snap permit tcp any any eq ssh

    pager lines 24

    interface ethernet0 10baset

    interface ethernet1 10full

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside x.x.x.226 255.255.255.240

    IP address inside 192.168.1.1 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    location of PDM 192.168.1.3 255.255.255.255 inside

    location of PDM 192.168.1.5 255.255.255.255 inside

    location of PDM 192.168.1.6 255.255.255.255 inside

    location of PDM 192.168.1.7 255.255.255.255 inside

    location of PDM 192.168.1.8 255.255.255.255 inside

    location of PDM 192.168.1.9 255.255.255.255 inside

    PDM location x.x.x.88 255.255.255.255 outside

    location of PDM 192.168.1.10 255.255.255.255 inside

    location of PDM 192.168.1.11 255.255.255.255 inside

    PDM logging 100 information

    history of PDM activate

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    public static x.x.x.227 (Interior, exterior) 192.168.1.9 netmask

    255.255.255.255 0 0

    public static x.x.x.228 (Interior, exterior) 192.168.1.8 netmask

    255.255.255.255 0 0

    public static x.x.x.229 (Interior, exterior) 192.168.1.3 netmask

    255.255.255.255 0 0

    public static x.x.x.230 (Interior, exterior) 192.168.1.5 mask

    255.255.255.255 0 0

    public static x.x.x.231 (Interior, exterior) 192.168.1.7 netmask

    255.255.255.255 0 0

    public static x.x.x.232 (Interior, exterior) 192.168.1.6 netmask

    255.255.255.255 0 0

    Access - allows to group in the interface outside

    allow-out access-group in the interface inside

    Route outside 0.0.0.0 0.0.0.0 216.215.244.225 1

    Timeout xlate 0:05:00

    Timeout conn 0 half-closed 01:00:10: 00 udp 0: CPP 02:00 0:10:00 h323

    0:05:00 sip 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    RADIUS Protocol RADIUS AAA server

    AAA-server local LOCAL Protocol

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    Permitted connection ipsec sysopt

    No sysopt route dnat

    Telnet 192.168.1.0 255.255.255.0 inside

    Telnet timeout 5

    SSH timeout 5

    dhcpd address 192.168.1.2 - 192.168.1.33 inside

    dhcpd dns 64.89.70.2 64.89.74.2

    dhcpd lease 2000000

    dhcpd ping_timeout 750

    dhcpd outside auto_config

    dhcpd allow inside

    Terminal width 80

    Cryptochecksum:XXXXX

    : end

    [OK]

    Hello

    Port forwarding is different to allow ports through the firewall. I guess you meant allow tcp/21 and 21 1024-2774, right port?

    You need the following lines

    access list allow component snap permit tcp any any eq ftp

    access list allow component snap allowed tcp everything any 1024 2774 Beach

    You can be more specific and can replace "any" with the actual IP addresses

    Thank you

    Nadeem

  • Port forwarding with PIX 501

    I try to get my PIX 501 to forward traffic on port 1412 with TCP and UDP to use Direct Connect, and the problem I have is I can connect to a DC hub, but cannot establish connections with users.

    I added the following to the default configuration from the factory with a partial success:

    outside access list permit tcp any host 192.168.100.20 eq 1412

    access-list outside permit udp any host 192.168.100.20 eq 1412

    public static tcp (indoor, outdoor) interface 1412 192.168.100.20 1412 netmask 255.255.255.255 0 0

    public static tcp (indoor, outdoor) interface 1412 192.168.100.20 1412 netmask 255.255.255.255 0 0

    In the debug log set to the access list I rule this type of errors:

    Deny tcp src outside other.users.ip.addr/3099 dst within the my.public.ip.addr/1412 by access-group "access_outside_in".

    TCP request discarded outside my.public.ip.addr/45961 other.users.ip.addr/2362

    I'm quite lost as to why it does not work when I think it should. I tried several ways, opening of port ranges and no chance for a transfer of the port sucsessful.

    You can change you, outside the ACL to the following:

    outside access list permit tcp any host eq 1412

    access-list outside permit udp any host eq 1412

    outside access-group in external interface

    Save again with: write mem and also issue: clear xlate

    I would like to know if it works.

    Jay

  • VPN and port forwarding problem

    Hello

    I configured a VPN (IPSec) between 2 sites on Cisco 881 - K9.

    The server 'A', which the 192.168.0.X address must be accessible on port 80, 8080 and 90 of the public network.

    I have configured the ports of shipment with the command:

    IP nat inside source static TCP 192.168.0.X 90 interface fastethernet 4 90

    IP nat inside source static TCP 192.168.0.X 80 4 80 fastethernet interface

    IP nat inside source static TCP 8080 interface fastethernet 4 8080 192.168.0.X

    The server is accessible from the outside, the site in which it is located.

    But there is a problem with the second site:

    • I ping the server with its local address 192.168.0.X
    • But when I try to open a Web page that is using port 80 or 8080 or 90, the server appears inaccessible

    It seems that the problem is due to the translation of port because when I delete the configuration of port forwarding is no problem over on the second site.

    Thanks for your help

    Hello

    You need conditional NAT.
    When you want to Port Forwarding to work just for a part of traffic, e.g. when access to the server from the Internet
    but not for traffic entering via VPN, you can add a roadmap to the end.

    Thus,.
    IP nat inside source static TCP 192.168.0.X PUBLIC_IP 4 xx xx map route VPN

    The road map tells when it is NAT that will to spend.
    It will always happen, but when traffic is coming from the VPN.

    Now... the problem is that you can add a roadmap, when you have a rule of Port forwarding to an IP address (and not an interface).

    Anyway, give it a try and let us know.

    Federico.

  • Need help with the implementation of a VPN to bypass the port forwarding to access my web server

    Pretty much as the title suggests, but it's probably not clear enough. Let me explain:
    I want to host a Web site on my computer. Not another major, but something small and private.

    Before you set up a domain name, I want to make sure the site works - which it is not.
    I am currently using WAMPServer to organize it all.

    I put it so when I connect to localhost, I have access to all my files in the directory, regardless of whether or not I'm "online" or "offline" on WAMPServer (or not, others will have access to my Web page).

    When I turn WAMPServer 'on-line', it allows the connection of my WAMPServer homepage through both localhost and connection through the static IP address, I put in place, but only in LAN, meaning that only computers connected to my home network would have access to the page.

    My router cannot be configured to allow port forwarding for can I open a port to allow redirection to my computer, rather than the ambiguous router itself. As an alternative, I downloaded Hamachi to allow a computer to connect to the VPN (Hamachi) and, by extension, my IP for access to files in the directory.

    In theory, it should work, but it didn't. In my local network computers could still connect to the IP address, but the computer in the virtual private network, but not on the local network could not.

    Is there something I'm missing here, or is there any suggestions to make this work?

    Note:
    My works of static IP as what it is, however, it is different from the IP address used in Hamachi. If I change the IP address used by my computer to access the site to the IP address that uses my Hamachi, would that work? As another suggestion, can I change my static IP setting is automatic and change one used on WAMPServer (from localhost, allowing the connection to bring) than on Hamachi? Or I do all three IP addresses the same?

    Thanks for all the help and solutions,
    Elgo

    Domain/server/business questions are best addressed @ Technet.  Answers is more connected consumer.

    http://social.technet.Microsoft.com/forums/en-us/categories/

  • Unable to do port forwarding, to connect to the VPN and install Windows updates

    first of all, I tried to launch a minecraft Server trying to port forward, had problems with this, so I tried Hamachi, wouldn't connect to the VPN, then I tried Tunngle, at least, it was more useful, so I tried to use Device Manager to search for tunngle found when trying to manually install it, then he said that he could not or invaild something (or something of the sort) then it says windows may need to be put updated to fix this problem, so I tried to update to windows and it will not be updated, he is stuck at 0%, I tried the thing to download the patch to update windows and that has not helped,): I DO

    Original title: Windows Update will not be blocked at 0%

    Hello

    Thanks for posting your query in Microsoft Community.

    Depending on your problem troubleshooting to establish a VPN connection, I recommend that you post your question in the TechNet forums. TechNet is watched by other computing professionals who would be more likely to help you.

    TechNet Forum

    http://social.technet.Microsoft.com/forums/Windows/en-us/home?category=w8itpro

    Hope this information is useful.

  • NETGEAR ProSafe VPN Firewall SRXN3205 and port forwarding?

    Hi, this is a long shot, but I'm pulling my hair out at this point and can be a bit over my head, as I am new on network

    Small short story, I have two servers, one is the NAS box (IE if I connect via the internet to the site via public IP network from home, I get it that site says 'my actions' I insert login and pass and get access to them.)
    That is, everything is peachy.
    The problem is when I try to connect to my FileMaker Server I'm not and instead, he takes me to the login NAS box. So I think ok, I need to port forward (5003 for filemaker) to go to different PC local LAN(192. etc)

    Security > firewall > Add Service entering:
    Service: fmserver
    Action: Always leave
    Send to LAN Server: unique address 192. etc is filemaker installed on (and different on a NAS)
    Definition of Port number: 5003<-- is="" this="" right?="" how="" else="" would="" you="" indicate="" you="" want="" all="" connections="" on="" this="" port="" to="" go="" to="" this="" specific="" lan="" machine="" from="" internet="" instead="" of="" default="" which="" seems="" to="" be="">
    rest is default, I click on apply.

    Here's what I don't understand. In the table of incoming Services, (security > firewall) I have two local IP in the list, a SIN, the other for Filemaker. But only the top works and can be connected to. I can move every top position and it will work, but they will not work at the same time, just the one that sits on the top of the sad Smiley page

    and yes I read the manual again and again and don't know how I'm screwing up the port forwarding on this point, even if I am brand new to probably something stupid Smiley Happy (our work IT guy is gone so tried to get involved through this somehow)

    Any help would be appreciated.

    Hello sinieq,

    There is a hierarchy on incoming service table, which is normal. I see 4 services added using "ANY" (ALL use any port number) you will need to remove/disable these because of the rule of the hierarchy on the table, all other services will be ignored when EVERYTHING is used. What is the port number used by the NAS Server? I don't see a port defined to access NAS. Try disabling services by using "ANY" and try again by adding the translation to the port number of the NAS.

    Let us know what happens.

    Thank you

  • Implementation of IPSec Port Forwarding on a Windows 2012 with a LRT224 Server

    Hi all I hope someone can help me validate my troubleshooting. I'm deploying a Server Windows 2012 that will server as a server vpn for customers. In place is a LRT224 with 4 VLANS set up. I have enabled port forwarding for IPSec (UDP/500), L2TP (UDP/1701) and L2TP (UDP/4500) to go on the server.

    In my Initial test, I put the LRT224 on the same network as the client of my test and realized the Test Client (10 Windows) to try to connect to the WAN of the LRT224 interface. I get this message:

    Thinking it could be the configuration of the server, I then put the client system on the same vlan on the LRT224 server. When I tried to connect to it directly by using the IP address of the server as a destination, he succeeded.  It is leading me to believe that it is the LRT224.

    I confirmed that VPN passthrough is enabled.

    The firmware version is by: v1.0.5.03 (February 22, 2016 10:12:17)

    Currently, the firewall is disabled (I would activate once I'm working)

    If anyone has ideas or notice a fault in my tests, I would really appreciate the feedback.

    If additional information would be useful, please let me know what you want and I can work for it.

    Thanks to all in advance.

    FreeFallFour wrote:

    I then put the client system on the same vlan on the LRT224 server. When I tried to connect to it directly by using the IP address of the server as a destination, he succeeded.  It is leading me to believe that it is the LRT224.

    It does normally not as I KNOW because the VPN in an outside in the process. You should test the VPN connection outside the server's IP subnet.

    You have the server configuration that the DNS server in the router to DHCP with DNS Proxy is disabled?

    Are you doing load balancing Internet connection?

  • WAG160Nv2 v2.00.21 Port Forwarding

    Hello my problem is that I was not able to setup port forwarding.

    WAG160Nv2 Firmware V2.00.21 (I think that Schedule A)

    configuration:

    • only the port forwarding: all OFF
    • forwarding port range: 40000 to 54000 two PC ip protocols
    • PC connects with static IP below 192.168.1.100 from where starts DHCP server on the router
    • trigger port range: all OFF
    • QoS (Quality of Service): all OFF
    • DMZ: OF
    • Access restrictions: disabled
    • SPI Firewall / filters / block WAN requests: all OFF
    • VPN Passthrough: OFF
    • Isolation of the AP: OFF
    • NAT: WE
    • RIP: disabled
    • uPnP: OFF (I tried in combination with ALG)
    • IGMP proxy: OFF
    • SIP ALG: OFF (I tried in combination with uPnP)
    • already pressing reset for a long time after the firmware update, lost all the settings (the number of seconds that I have to press it? (I must have tried 30 +) Factory Defaults did the same thing?

    How I checked:

    • Transmission (torrent program): use uPnP or NAT - PMP router is DISABLED, use port = 40101, port test shows closed
    • Nmap Pei 40000-54000 - T4 - A - v 192.168.1.1 which gives «...» All scanned ports 14001 on 192.168.1.1 are closed... »
    • EDIT: also checked http://www.canyouseeme.org/ AND http://www.portchecktool.com/
    • EDIT: have you: netstat - LNP | grep 40101 on my PC
      TCP 0 0 0.0.0.0:40101 0.0.0.0: * LISTEN 26429/transmission.
      tcp6 0 0: 40101: * LISTEN 26429/transmission.

    Thank you very much in advance

    What is your internet IP address, tsester? I think that there is a double NAT on your network. If you get a private IP address, I suggest that you contact your ISP and your current subscription go to full bridge mode. Next, configure the router again based on the new settings and see if it will solve the problem.

  • port forwarding for file sharing on the internet.

    I am trying to determine what port numbers, I need to transfer to my router (in virtual server) to be able to share my NAS files over the internet with my friends? I want to use file sharing, have implemented a DDNS on the NAS with a client account to my dynamic IP address, but cannot get the numbers correct port developed to be able to configure port forwarding. Can anyone help?

    Hello

    Open sharing Ports that are used on a local area network on the Internet is a Big safety hazard.

    There are secure applications that are built for this purpose, they use their own ports and generally are safe (as on the VPN or SSH).

    A free quick simple way is shared through secure ftp server. http://FileZilla-project.org/

    An elegant way door application like this, http://download.cnet.com/WebDrive/3000-2160_4-10017919.html

    In general, http://www.practicallynetworked.com/howto/fileshare/fileshare_intro.htm

    Jack-MVP Windows Networking. WWW.EZLAN.NET

  • Issue from site to site of SRP527w port forwarding

    Hello

    I have problem with setting up port forwarding on the VPN between two cisco 527w.

    Scenario when we see a tunnel VPN from Site to Site between Site A and B; a printer behind Site B must be accessible using the IP WAN of A Site address.

    Like the picture above:

    -From site A, I am able to ping printer and printer access locally and via 120.146.x.x with port forwarding to installation on site has to the printer.

    -From site B, I am able to ping A site gateway but not able to access the printer through 120.146.x.x. The printer can be access via 129.203.x.x if port forwarding is configured on the site B on the printer.

    Cisco SRP 527w supports port forwarding via VPN site-to-site site A to site B printer?

    Y at - it no suggest or another solution for this scenario?

    Some help would be very appreciated.

    Kind regards

    Thai

    Hi thai,

    I'm not entirely sure - I think that an IOS based router, for example, the 800 series, you could do with proper setup.

    I would say that remote access to a printer or a server like this is perhaps not the most secure solution however.  A better approach would be to use a router that supports both a remote access VPN site.  With this, you must be able to use a VPN client to access the site with the IP address static, then tunnel to the other site where the device is.  You might consider the series RV of the device as well as IOS routers for that.

    Kind regards

    Andy

  • port forwarding static pix501

    Hello!

    I really made efforts to make this work, but without success.

    What I'm trying to do is a port forwarding on tcp 4899. I searched forums, read articles and the manual, but it doesn't really work.

    Topology: Pix ISP modem DSL - lan

    Here is the config of my pov, working the 'best '.

    : Saved

    :

    6.3 (1) version PIX

    interface ethernet0 car

    interface ethernet1 100full

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    enable password xxxx

    passwd xxx

    pixfirewall hostname

    domain ciscopix.com

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol they 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol 2000 skinny

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    names of

    access-list 101 permit tcp any host xx.xx.xx.245 eq 4899

    pager lines 24

    information recording console

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside xx.xx.xx.244 255.255.255.240

    IP address inside 192.168.29.91 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    PDM logging 100 information

    history of PDM activate

    ARP timeout 14400

    Global 1 xx.xx.xx.245 (outside)

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    static (inside, outside) tcp xx.xx.xx.245 4899 192.168.29.4 4899 netmask 255.255.255.255 0 0

    Access-group 101 in external interface

    Route outside 0.0.0.0 0.0.0.0 xx.xx.xx.241 1

    Timeout xlate 0:05:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    RADIUS Protocol RADIUS AAA server

    AAA-server local LOCAL Protocol

    Enable http server

    http 192.168.29.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    dhcpd address 192.168.29.92 - 192.168.29.123 inside

    dhcpd lease 3600

    dhcpd ping_timeout 750

    dhcpd outside auto_config

    Terminal width 80

    Cryptochecksum:xxxx

    : end

    Here's a log of what happens when I try to establish a connection.

    609001: built internal local host: 192.168.29.4

    305011: built a static TCP translation of inside:192.168.29.4/4899 to outside:xx.xx.xx.245/4899

    302013: built of TCP connections incoming 582 for outside:yy.yy.yy.51/3289 (yy.yy.yy.51/3289) at inside:192.168.29.4/4899 (xx.xx.xx.245/4899)

    302014: disassembly of the TCP connection 582 for outside:yy.yy.yy.51/3289 to inside:192.168.29.4/4899 duration 0:02:01 bytes 0 SYN Timeout

    305012: static translation TCP disassembly of inside:192.168.29.4/4899 to outside:xx.xx.xx.245/4899 duration 0:02:15

    And IMO it looks as it should? But there is no data flow.

    Thank you! Peter

    Are you sure that the service is running on 192.168.29.4? "bytes 0 SYN Timeout"reveals as no response was sent from inside.

    After you add the static statement, did you make a clear xlate or restart the pix to reset the table of translation slot? (clear xlate is preferred, but naturally a reboot will be wipe off the table)

Maybe you are looking for