# PIX 515E Forwarding



## ipfreely24 (Apr 22, 2014)

I am trying to access my camera DVR from outside my network. I have set static and access-list rules and cannot connect. Can I get some assistance? PIX version 6.3(5)

Below is the current config from before I made changes. I would like to access an internal IP on ports 8200, 8016, 10019 and 8116. 

I would like you to know that I am new at this location and this system has been untouched for roughly 9 years. I have a side question for setting an IP as static from this PIX also.


PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security90
nameif ethernet3 dmz2 security80
nameif ethernet4 dmz3 security70
nameif ethernet5 dmz4 security60
enable password encrypted
passwd encrypted
hostname xxxx-PIX
domain-name xxxx.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.5.41.209 NTP2.USNO.NAVY.MIL
name 192.168.3.254 AIRONET
name xxx.xxx.xxx.xxx SITE1
name xxx.xxx.xxx.xxx SITE2
access-list mgmt-vpn-client permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list mgmt-vpn-client permit ip host AIRONET 172.16.1.0 255.255.255.0
access-list inside_in permit tcp 192.168.1.0 255.255.255.0 host AIRONET eq ssh
access-list inside_in permit tcp 192.168.1.0 255.255.255.0 host AIRONET eq 8080
access-list inside_in deny ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_in permit ip any any
access-list dmz2_in deny ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz2_in permit ip any any
access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list no-nat permit ip host AIRONET 172.16.1.0 255.255.255.0
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
pager lines 24
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
mtu dmz4 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip address dmz1 192.168.2.1 255.255.255.0
ip address dmz2 192.168.3.1 255.255.255.0
ip address dmz3 192.168.4.1 255.255.255.0
ip address dmz4 192.168.5.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz1
ip verify reverse-path interface dmz2
ip verify reverse-path interface dmz3
ip verify reverse-path interface dmz4
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip local pool VPN-CLIENTS 172.16.1.1-172.16.1.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz1
no failover ip address dmz2
no failover ip address dmz3
no failover ip address dmz4
no pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz1) 1 interface
global (dmz2) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (dmz2) 0 access-list no-nat
nat (dmz2) 1 192.168.3.0 255.255.255.0 0 0
access-group outside_in in interface outside
access-group inside_in in interface inside
access-group dmz2_in in interface dmz2
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:05:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:05:00
timeout sip-disconnect 0:05:00 sip-invite 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.1.5 53cuR3dNetW0rk5 timeout 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
ntp server NTP2.USNO.NAVY.MIL source outside prefer
snmp-server location 
snmp-server contact 
snmp-server community 
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
service resetinbound
service resetoutside
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto dynamic-map VPN-CLIENT-MAP 10 set pfs group2
crypto dynamic-map VPN-CLIENT-MAP 10 set transform-set ESP-AES-SHA
crypto map OUTSIDE-MAP 100 ipsec-isakmp dynamic VPN-CLIENT-MAP
crypto map OUTSIDE-MAP client authentication LOCAL
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup MGMT address-pool VPN-CLIENTS
vpngroup MGMT dns-server 192.168.1.5
vpngroup MGMT wins-server 192.168.1.5
vpngroup MGMT default-domain xxxxx.com
vpngroup MGMT split-tunnel mgmt-vpn-client
vpngroup MGMT pfs
vpngroup MGMT idle-time 86400
vpngroup MGMT password ********
telnet timeout 2
ssh SITE1 255.255.255.255 outside
ssh SITE2 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 20
management-access inside
console timeout 2
dhcpd address 192.168.1.10-192.168.1.99 inside
dhcpd address 192.168.3.101-192.168.3.199 dmz2
dhcpd dns 24.25.5.60 24.25.5.61
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
dhcpd enable dmz2
username admin encrypted privilege 15
username site encrypted privilege 15
terminal width 80
banner exec * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
banner exec *  *
banner exec * [WARNING] XXXX-PIX *
: end
XXXX-PIX#


----------

