Hi-
I'm trying to create some inbound access rules on an old Pix 505 (Cisco PIX
Firewall Version 6.3(3) Cisco PIX Device Manager Version 3.0(1), yes, all
ancient).
I don't work on PIXes very often, but when I add an inbound rule permitting
traffic, the PIX prompts me that:
"No static Network Address Translation (NAT) rule is configured for the
destination host or network on interface outside. Would you like to add a
static NAT rule for the host or network now?"
What exactly do I have to add? I'm basically trying to map connections to
port 4444, 4445, and 4446 to three internal servers (server 1 4444, 2 4445,
etc) using the same outside (public) IP address.
They have 4 public IPs, two are 1:1 NAT mapped to two other servers and
client traffic is mapped to a third and the PIX external IP isn't used for
anything.
Thanks for any help.
|
|
0
|
|
|
|
Reply
|
 mobocracy (3)
|
1/22/2008 8:54:28 PM |
|
In article <13pcm05pnul4h0f@corp.supernews.com>,
Howard Beale <mobocracy@gmail.com> wrote:
>I'm trying to create some inbound access rules on an old Pix 505
There was no PIX 505. On the other hand, your Subject says 501 which
does exist and is still sold.
>(Cisco PIX
>Firewall Version 6.3(3) Cisco PIX Device Manager Version 3.0(1), yes, all
>ancient).
Not so ancient; the latest OS for that is one of the 6.3(5) versions.
If the system owners are the registered owners of the PIX, they
are entitled to a free upgrade to the latest 6.3(5) for the security
fixes.
>I don't work on PIXes very often, but when I add an inbound rule permitting
>traffic, the PIX prompts me that:
>"No static Network Address Translation (NAT) rule is configured for the
>destination host or network on interface outside. Would you like to add a
>static NAT rule for the host or network now?"
>What exactly do I have to add? I'm basically trying to map connections to
>port 4444, 4445, and 4446 to three internal servers (server 1 4444, 2 4445,
>etc) using the same outside (public) IP address.
>They have 4 public IPs, two are 1:1 NAT mapped to two other servers and
>client traffic is mapped to a third and the PIX external IP isn't used for
>anything.
static (inside,outside) tcp host PUBLICIP 4444 host SERVER1IP 4444
static (inside,outside) tcp host PUBLICIP 4445 host SERVER2IP 4445
static (inside,outside) tcp host PUBLICIP 4446 host SERVER3IP 4446
and your access-list would look like
access-list out2in permit tcp any host PUBLICIP range 4444 4446
Note: the syntax would be slightly different if you were using
the PIX outside IP as the destination IP for this traffic.
|
|
|
0
|
|
|
|
Reply
|
 roberson
|
1/22/2008 9:01:50 PM
|
|
Walter Roberson wrote:
> There was no PIX 505. On the other hand, your Subject says 501 which
> does exist and is still sold.
Whoops, sorry. I'm sure there's another 505 something on my mind.
> Not so ancient; the latest OS for that is one of the 6.3(5) versions.
Thanks, I'll check into that.
> static (inside,outside) tcp host PUBLICIP 4444 host SERVER1IP 4444
> static (inside,outside) tcp host PUBLICIP 4445 host SERVER2IP 4445
> static (inside,outside) tcp host PUBLICIP 4446 host SERVER3IP 4446
>
> and your access-list would look like
>
> access-list out2in permit tcp any host PUBLICIP range 4444 4446
>
>
> Note: the syntax would be slightly different if you were using
> the PIX outside IP as the destination IP for this traffic.
Can you tell me what that syntax would look like?
Thanks!
|
|
|
0
|
|
|
|
Reply
|
Howard
|
1/22/2008 9:12:53 PM
|
|
In article <13pcn2ltncjjc80@corp.supernews.com>,
Howard Beale <mobocracy@gmail.com> wrote:
>Walter Roberson wrote:
>> static (inside,outside) tcp host PUBLICIP 4444 host SERVER1IP 4444
>> static (inside,outside) tcp host PUBLICIP 4445 host SERVER2IP 4445
>> static (inside,outside) tcp host PUBLICIP 4446 host SERVER3IP 4446
>> access-list out2in permit tcp any host PUBLICIP range 4444 4446
>> Note: the syntax would be slightly different if you were using
>> the PIX outside IP as the destination IP for this traffic.
>Can you tell me what that syntax would look like?
static (inside,outside) tcp interface 4444 host SERVER1IP 4444
static (inside,outside) tcp interface 4445 host SERVER2IP 4445
static (inside,outside) tcp interface 4446 host SERVER3IP 4446
access-list out2in permit tcp any interface outside range 4444 4446
That is, in ACLs, to designate the PIX outside IP itself,
use the literal 'interface outside' instead of the IP; in static, use
the literal 'interface' instead of the IP.
|
|
|
0
|
|
|
|
Reply
|
roberson
|
1/22/2008 10:24:57 PM
|
|
Walter Roberson wrote:
> Can you tell me what that syntax would look like?
>
> static (inside,outside) tcp interface 4444 host SERVER1IP 4444
> static (inside,outside) tcp interface 4445 host SERVER2IP 4445
> static (inside,outside) tcp interface 4446 host SERVER3IP 4446
>
> access-list out2in permit tcp any interface outside range 4444 4446
>
>
> That is, in ACLs, to designate the PIX outside IP itself,
> use the literal 'interface outside' instead of the IP; in static, use
> the literal 'interface' instead of the IP.
Thanks much! That solves my problem nicely.
I work with many vendor firewalls and FreeBSD ipfw stuff, but somehow the
Pix never quite sinks in.
|
|
|
0
|
|
|
|
Reply
|
Howard
|
1/23/2008 12:43:34 AM
|
|
|
4 Replies
246 Views
(page loaded in 0.082 seconds)
|
Search |
Post Question |
Groups |
Stream |
About |
Register
24755 articles. 
23 followers. 
bgauth
dmtechgroup
voidxor
fredje110
rengaw03
makeizy
sianliu
k40n30
nguser2u334
smandeville