«

Hi, all! Using a PIX 515e (IOS 12.3)...

Basically, I need to be able to translate (STATIC command) any traffic
from a given subnet (167.68.6.0) on a given port (5000) to a single
inside IP (10.1.1.1) and port (5000). My hangup at this point is the
subnet masks, I think. On one side I have to use a mask of .0, but I
need a mask of .255 on the inside specifically. Will the below STATIC
work for me?

static (inside, outside) tcp 10.1.1.1 5000 167.68.6.0 5000 netmask
255.255.255.255

Essentially, any port 5000 traffic on the outside subnet (all 255
possible machines) has to be sent to a single device on the inside
subnet.

Is this do-able? Thanks!
Jack

JackBlack wrote:
> Hi, all! Using a PIX 515e (IOS 12.3)...
>

Sorry, the PIX does not run on IOS 12.3, please paste a show version
from the firewall.

You're correct, my bad. It's running 6.3(4). Sorry, was looking at
something else when I wrote the original post.

So, what do you think about my question?

Thanks,
Jack


On Jun 1, 10:30 am, Chad Mahoney <c...@nospam.mah0ney.com> wrote:
> JackBlack wrote:
> > Hi, all! Using a PIX 515e (IOS 12.3)...
>
> Sorry, the PIX does not run on IOS 12.3, please paste a show version
> from the firewall.

In article <. com>,
JackBlack <> wrote:
>Hi, all! Using a PIX 515e (IOS 12.3)...

>Basically, I need to be able to translate (STATIC command) any traffic
>from a given subnet (167.68.6.0) on a given port (5000) to a single
>inside IP (10.1.1.1) and port (5000).

You can't do that in the way it is phrased.

>Essentially, any port 5000 traffic on the outside subnet (all 255
>possible machines) has to be sent to a single device on the inside
>subnet.

access-list six5000 permit tcp host 10.1.1.1 eq 5000 167.68.6.0 255.255.255.0
static (inside,outside) tcp interface 5000 10.1.1.1 5000 access-list six5000

This presumes that the public IP that those 167.68.6.0 hosts are
talking to, that represents 10.1.1.1 to the outside world, is your
outside interface IP. If not, replace the word 'interface' with the
public IP.

I'm not completely sure this will work. I'd have to think back and try
to remember exactly how statics with access-lists work, which is not
well documented. I did get clarification from the TAC at one point,
but I no longer have access to that case.