Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix Port Forward

Status
Not open for further replies.
Ztrek7

Ztrek7

IS-IT--Management
Mar 12, 2004
100
US
I have searched the forum for pix port forward, and can't find anything useful. My question, I have a 501 configured for DHCP for outside address. It is cable, so it rarley changes. I just need to forward port 22 and another port range to a specific IP inside. I thought the commands were:

access-list 200 permit tcp any host xxx.xxx.xxx.xxx range 15425 15427
access-list 200 permit udp any host xxx.xxx.xxx.xxx range 2074 2093
access-list 200 permit tcp any host xxx.xxx.xxx.xxx eq 22
access-list 200 permit udp any host xxx.xxx.xxx.xxx eq 22
static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.211 netmask 255.255.255.255 0 0
access-group 200 in interface outside


But these commands break my current setup. Of course, xxx.xxx.xxx.xxx is my external IP.
 
Sort by date Sort by votes
To do a port redirection with one Public IP you need two things:
1. Access-list
2. Static statment

Use the static statment to redirect the port from the pub IP to the priv IP:
Code: 
static (inside,outside) tcp interface 22 192.168.1.211 22 netmask 255.255.255.255 0 0

Use a Access-list to allow the traffic to that port:
Code: 
access-list 100 permit tcp any any eq 22
access-group 100 in interface outside

You cannot do port ranges with this, so you will either need to configure your application to work on specific ports or manually enter static’s for each port


MITS_Sig.gif
 
Upvote 0 Downvote
Thanks for your help!

I have like 25 ports to forward, with this being "High End Cisco" equipment, I find it hard to believe(depending on what day you talk to me) that there is not a way to do a port range forward.

Anyone have ideas?

I will put the above to work, but, I hate doing something the long or hard way when there is probably a command to do it with a single line.

But, I appreciate your help br0ck, thank you.

-Jeremy
 
Upvote 0 Downvote
In my opinion port redirection is a cost effective work around for not having sufficient static ip’s(or any at all). Don’t get me wrong I have to do it all the time and there is a cost $avings. But having the static ip to map out to will allow you to utilize the access-list port range option.

So you have any way of controlling port usage on the service/ app you are publishing?


MITS_Sig.gif
 
Upvote 0 Downvote
We have just switched to a cable modem, and, they offer 1 IP that is not static. We get 6 timmes the download and same upload, but, at the cost of 1 IP, we used to have 5.

If by controlling port usage on the service/app you mean only allow so much traffic, no, not on that particular app. It is hardly ever used, but used enough for me to get complaints.

I don't believe their is a mechanism in the pix to achieve this, but, may be wrong.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
698
XLNTech1
XLNTech1
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
217
xwray
xwray
Impersonator
  • Locked
  • Question
UDP Hacking port 53
Replies
1
Views
377
RodneyMcSnow
RodneyMcSnow
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
266
brownmab53
brownmab53
RMurr34
  • Locked
  • Question
ASA Config - Open port 3389 for all IPs
Replies
1
Views
332
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top