PIX opening (or forwarding) ports for remote ip

[metalcoat]

I have a Cisco Pix Firewall that is currently running 5 external ips, everything is working perfect. Here is the problem:

We just installed a new device which needs tcp ports 990 and range 28000-28500 opened up to connect to their server. They list which IPs to allow in which there are 3, all needing the same configuration. The external_pix_ip below is the outside ip of the router which connects to a switch then to the dns server with workstation_ip residing in their. For now I will say that the workstation_ip is static.

A company has quoted us a $600 price tag to do this, which to me sounds ridiculous. Below I have listed the lines I plan to add, I want to make sure this would work. Thank you to anyone who would respond.

access-list outside-inbound permit tcp host outside_ip1 host external_pix_ip eq 990
access-list outside-inbound permit tcp host outside_ip2 host external_pix_ip eq 990
access-list outside-inbound permit tcp host outside_ip3 host external_pix_ip eq 990

access-list outside-inbound permit tcp host outside_ip1 host external_pix_ip range 28000-28500
access-list outside-inbound permit tcp host outside_ip2 host external_pix_ip range 28000-28500
access-list outside-inbound permit tcp host outside_ip3 host external_pix_ip range 28000-28500


static (inside,outside) tcp external_pix_ip 990 workstation_ip 990 netmask 255.255.255.255 0 0
static (inside,outside) tcp external_pix_ip 28000-28500 workstation_ip 28000-28500 netmask 255.255.255.255 0 0

 

[brianinms]

static (inside,outside) tcp external_pix_ip 990 workstation_ip 990 netmask 255.255.255.255 0 0

static (inside,outside) tcp external_pix_ip 28000-28500 workstation_ip 28000-28500 netmask 255.255.255.255 0 0


Statics only support a port to port mapping, not a range of ports. If you have 5 static IP addresses you should use one of them and just merely

static (inside,outside) y.y.y.y workstation_ip netmask 255.255.255.255

access-list outside-inbound permit tcp host outside_ip1 host y.y.y.y eq 990
access-list outside-inbound permit tcp host outside_ip2 host y.y.y.y eq 990
access-list outside-inbound permit tcp host outside_ip3 host y.y.y.y eq 990

access-list outside-inbound permit tcp host outside_ip1 host y.y.y.y range 28000-28500
access-list outside-inbound permit tcp host outside_ip2 host y.y.y.y range 28000-28500
access-list outside-inbound permit tcp host outside_ip3 host y.y.y.y range 28000-28500

 

[metalcoat]

I probably should have mentioned all five are used.
Terminal Server
Application Server
Webserver
Cisco Pix - this is the one I planned on using
Test

The three outside ips (other company) are the only ones i want to use that port, could I still use that without dedicating an external ip?

 

[brianinms]

I am unaware of any way to use static pat to translate a range of IP address. Couldn't you change your IP addresses for your other servers. I would use 1 ip address and then forward port 80, 3389, and whatever ports you need for the app server to the corresponding inside addresses.

 

[metalcoat]

I guess I should have clarified better, I want to do this with minimal change. Re-addressing the IPs at this time is not an option.

The range of ip shouldn't be a big deal since I could basically copy the commands and change the IP for each command, right?

 

[brianinms]

You willl just have to add 500 static pats by hand

 

[metalcoat]

I didn't necessarily mean it like that. I meant the external ips(from a different company) that I can copy, adding 500 commands by hand it not only ridiculous but impractical.