RE: [fw-wiz] Cisco PIX query

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 02/23/04

  • Next message: Baumann, Sean C.: "RE: [fw-wiz] Sources for Extranet Designs?"
    To: "ADSL-Nerd" <adslnerd@pacific.net.sg>, <firewall-wizards@honor.icsalabs.com>
    Date: Mon, 23 Feb 2004 08:48:33 -0500
    
    

    > -----Original Message-----
    > Is it possible to perform NAT/PAT as seen below: (If there's
    > such commands)
    >
    > static (inside,outside) 203.82.170.93 TCP 443 102.165.2.9 TCP
    > 443 netmask 255.255.255.255 0 0 static (inside,outside)
    > 203.82.170.91 TCP 25 102.165.2.9 TCP 25 netmask 255.255.255.255 0 0
    >
    > Any other ways to do this in PIX?

    You're on the right track. PAT port redirection is the only way I know of to get what you're asking for from a PIX. The syntax for the rules above would look like this:

    static (inside,outside) tcp 203.82.170.93 https 102.165.2.9 https netmask 255.255.255.255 0 0
    static (inside,outside) tcp 203.82.170.91 smtp 102.165.2.9 smtp netmask 255.255.255.255 0 0

    Because you are doing this from the outside in, you will need complimentary access-list commands to allow the traffic. You will also want to be sure that the outside addresses aren't also used in a global pool, another static that doesn't use specific ports, or the address of the outside interface. (You can use the outside interface address, just replace '203.82.170.93' with 'interface' in the static rule(s).)

    PaulM

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Baumann, Sean C.: "RE: [fw-wiz] Sources for Extranet Designs?"

    Relevant Pages

    • Re: PIX to replace router
      ... :like to replace with a PIX. ... Then you get your various overhead commands like controlling remote ssh ...
      (comp.dcom.sys.cisco)
    • Re: [fw-wiz] PIX Transparent proxy
      ... >> commands are not on the pix... ... >packets to a cache based on the port, protocol or any other ACL match) ... It appears the PIX will do a static PAT in order to ...
      (Firewall-Wizards)
    • Re: Cisco PIX 501 port forwarding trouble
      ... i did a configuration reset on the pix before inputing your commands. ... did not do a clear xlate, ...
      (comp.dcom.sys.cisco)
    • Re: Network range on PIX
      ... :Does the PIX not support some equivalent of the filter masks used on ... :Cisco routers to define specific networks of a subnet? ... Those commands mostly have to do with access ...
      (comp.dcom.sys.cisco)
    • Re: WILL PAY. Need help to setup VPN between a PIX 506 and a Checkpoint 4.1 Firewall
      ... remove the failover commands: failover is not supported on the PIX 506 ... if some inside host forges random IPs ... as the source for packets, the PIX would let the packets out (replies ...
      (comp.security.firewalls)