RoryJMcKenna
MIS
Does anyone know what command to use to actually translate the external port to an internal IP??
Pix 501
Thanks in advance!!
Pix 501
Thanks in advance!!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Pix --->Port address translation???
- Thread starter RoryJMcKenna
- Start date
- Status
- Thread starter
- #2
RoryJMcKenna
MIS
I may have answered my own question......
access-list outside_access_in permit tcp any host "internal_IP" eq pcanywhere-data ??? Is this correct?
access-list outside_access_in permit tcp any host "internal_IP" eq pcanywhere-data ??? Is this correct?
That is correct, then you have to define the port.
like this for example, but replace the your port # that you want to forward..
static (inside,outside) tcp interface 255.255.255.255.
This command defines the use of the IP that is given by dhcp to the outside interface..
BuckWeet
substitute "interface" if you have a specific global IP...
like this for example, but replace the your port # that you want to forward..
static (inside,outside) tcp interface 255.255.255.255.
This command defines the use of the IP that is given by dhcp to the outside interface..
BuckWeet
substitute "interface" if you have a specific global IP...
- Thread starter
- #4
RoryJMcKenna
MIS
thx!
Where Do I stick the external IP if it is static??
Where Do I stick the external IP if it is static??
- Thread starter
- #5
RoryJMcKenna
MIS
Sorry to be a pain in the @ss but this is what my config looks like .....
access-list outside_access_in permit tcp any host 192.168.1.5 eq pop3
access-list outside_access_in permit tcp any host 192.168.1.2 eq 3389
etc.
......
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask 255.255.255.255 0 0
What's wrong with this?????????
access-list outside_access_in permit tcp any host 192.168.1.5 eq pop3
access-list outside_access_in permit tcp any host 192.168.1.2 eq 3389
etc.
......
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask 255.255.255.255 0 0
What's wrong with this?????????
Well it looks fine, did you make sure you applied the access-list to the interface??
access-group outside_access in interface outside
also, enable console debugging, then try to access those services, it will tell you some info why its not working..
BuckWeet
access-group outside_access in interface outside
also, enable console debugging, then try to access those services, it will tell you some info why its not working..
BuckWeet
- Thread starter
- #7
RoryJMcKenna
MIS
Thanks ...I dont think I had that Line in my config ...I will add it and let you know what happens.
- Thread starter
- #8
RoryJMcKenna
MIS
This is my complete config...I cannot even access the internet... This config looks completly OK to me from comparing it to others on my network...maybe I have been looking at it too long...Any help is grately appreciated!!!
Result of PIX command: "sh conf"
: Saved
: Written by enable_15 at 12:30:41.933 UTC Mon Apr 28 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname MYpix
domain-name MYdomainame.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host "MY Static IP" eq 5632
access-list outside_access_in permit tcp any host "MY Static IP" eq 3389
access-list outside_access_in permit tcp any host "MY Static IP" eq www
access-list outside_access_in permit tcp any host "MY Static IP" eq pcanywhere-data
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit icmp any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any echo-reply outside
icmp permit any router-solicitation outside
icmp permit any router-solicitation inside
mtu outside 1500
mtu inside 1500
ip address outside "MY Static IP" 255.255.255.128
ip address inside 192.168.123.11 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.123.70 255.255.255.255 inside
pdm location 192.168.123.4 255.255.255.255 inside
pdm logging debugging 512
pdm history enable
arp timeout 14400
global (outside) 10 interface
static (inside,outside) "MY Static IP" 192.168.1.5 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 "MY Gateway" 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.123.70 255.255.255.255 inside
http 192.168.123.77 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd dns 216.16.226.9
terminal width 80
Cryptochecksum:5affdf78efb82556ff26f07a5a635cec
Result of PIX command: "sh conf"
: Saved
: Written by enable_15 at 12:30:41.933 UTC Mon Apr 28 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname MYpix
domain-name MYdomainame.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host "MY Static IP" eq 5632
access-list outside_access_in permit tcp any host "MY Static IP" eq 3389
access-list outside_access_in permit tcp any host "MY Static IP" eq www
access-list outside_access_in permit tcp any host "MY Static IP" eq pcanywhere-data
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit icmp any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any echo-reply outside
icmp permit any router-solicitation outside
icmp permit any router-solicitation inside
mtu outside 1500
mtu inside 1500
ip address outside "MY Static IP" 255.255.255.128
ip address inside 192.168.123.11 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.123.70 255.255.255.255 inside
pdm location 192.168.123.4 255.255.255.255 inside
pdm logging debugging 512
pdm history enable
arp timeout 14400
global (outside) 10 interface
static (inside,outside) "MY Static IP" 192.168.1.5 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 "MY Gateway" 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.123.70 255.255.255.255 inside
http 192.168.123.77 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd dns 216.16.226.9
terminal width 80
Cryptochecksum:5affdf78efb82556ff26f07a5a635cec
- Thread starter
- #10
RoryJMcKenna
MIS
Thanks so much...You both made my first PIX config a breeze! ...This is also the first time i've used a forum for anything.... now that I know the value I wish I could go back and ask for help for all the jobs I've sweated out and learned on the fly!!
I've successfully setup the PIX..next time is a breaze!
Not that is a big feat but u gotta start somewhere right?
I've successfully setup the PIX..next time is a breaze!
Not that is a big feat but u gotta start somewhere right?
- Thread starter
- #12
RoryJMcKenna
MIS
Yeah now that I got it up with a basic config...I can work on actually locking it down..I know there is a web interface where you can point and click, but that is too microsoft for me..I like to know how stuff works!
Once agian thanks.
Once agian thanks.
- Status
