Re: [fw-wiz] Cisco PIX 501 Help

Any 6.x version of code will not allow a connection attempt from a
lower-security interface (outside in this case) directly to a
higher-security interface (inside).

7.0 you can configure a firewall in such a way.
However, the 501 cannot/will not run the 7.0 codebase (memory capacity

What you would be forced to do is static into a SSH "proxy" on the
inside and then connect back to the firewall or enable some other form
of "OS console" and then instantiate your SSH session to the firewall.

Not many options for remote management of OS6.x boxes but you can do it.


-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
Sent: Monday, August 06, 2007 3:56 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Cisco PIX 501 Help


Have just been given a couple of 501's to setup at work. Basic
configuration has been performed, and that is working fine. The question
I have is whether there is anyway to setup 100+ statics, one to one,
port mappings using object groups ? My IP setup is as follows :-

outside -> inside -> host -> ->

I have a application that uses 30 ports, plus X11, plus remove support
via PCanywhere. I have created the ACLs using object groups, but I
don't really fancy setting up individual TCP/UDP static entries.

If I use something like :-

static (inside,outside) interface netmask 0 0

Then the outside interface SSH server will not work as all traffic gets
mapped through too the inside interface :( Obviously we need to support
via the outside interface, so is there anyway around it ?

Could I put the SSH on the inside interface and then do something like

static (inside,outside) interface 2222 22 netmask 0 0

so that we just have to connect too port 2222 instead and that will map
it through so we can administer the PIX ?

I see on our IOS that we can use access-list on the static mapping, is
this a potential use ?

Hope my explanation makes sense ?


--[ UxBoD ]--
// PGP Key: "curl -s | gpg --import"
// Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B
// Keyserver: Key-ID: 0x5DB5687B
// Phone: +44 845 869 2749 SIP Phone: uxbod@xxxxxxxxxxxxxxxx

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

firewall-wizards mailing list

This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.

firewall-wizards mailing list