501 help w/ PAT, or outside NAT?

Discussion in 'Cisco' started by Ender, Aug 3, 2007.

  1. Ender

    Ender Guest

    I've got a pix 501 and I'm trying to figure out how to make inbound
    connections, depending on the service, route to certain inside machines.

    I'm having a hard time wrapping my head around how to do this with CLI
    (PDM was just unclear for me), but I think what used to be called PAT
    on my older simpler firewalls is what cisco calls outside NAT. I think
    it involves access-lists and can't get these to work yet.

    So I'm just trying to make this happen with SSH. I don't want the SSH
    connection to the console, but I want to come from the outside (using
    any machine, I'll figure out how to narrow that down later, one step at
    a time for me) and have my SSH connection be routed to a specific
    machine on my network.

    Any help in guiding me on this would be great.
    Ender, Aug 3, 2007
    #1
    1. Advertising

  2. In article <2007080220205716807-enderwigginandrew@gmailcom>,
    Ender <> wrote:
    >I've got a pix 501


    >So I'm just trying to make this happen with SSH. I don't want the SSH
    >connection to the console, but I want to come from the outside (using
    >any machine, I'll figure out how to narrow that down later, one step at
    >a time for me) and have my SSH connection be routed to a specific
    >machine on my network.


    http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694


    Static PAT Examples

    To redirect Telnet traffic from the PIX Firewall outside interface to
    the inside host at 10.1.1.15, enter:

    static (inside,outside) tcp interface telnet 10.1.1.15 telnet netmask 255.255.255.255


    So do the same sort of thing except with '22' instead of 'telnet'
    on both places on the line.

    You will also need an access-list:

    access-list out2in permit tcp any interface eq 22

    and you will need to apply the access-list to the outside interface:

    access-group out2in in interface outside
    Walter Roberson, Aug 3, 2007
    #2
    1. Advertising

  3. Ender

    CK Guest

    Hi,
    I suppose you are looking for redirecting services on external
    interface of PIX.
    You can do this with Static NAT command and Access-list

    Static command for SSH
    PIX(config)# static (inside,outside) tcp <Public IP> SSH <Internal
    Server IP> SSH netmask 255.255.255.255

    NAT for incoming traffic
    PIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    PIX(config)# global (outside) 1 <Public IP>

    Create Acces-list
    access-list OUT-2-IN permit tcp any interface eq 22

    Apply the Access-list to Interface
    access-group OUT-2-IN in interface outside

    Rate if it help
    CK, Aug 3, 2007
    #3
  4. In article <>,
    CK <> wrote:

    >I suppose you are looking for redirecting services on external
    >interface of PIX.


    >NAT for incoming traffic
    >PIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >PIX(config)# global (outside) 1 <Public IP>


    You do not need a nat/global pair for incoming traffic.

    >Static command for SSH
    >PIX(config)# static (inside,outside) tcp <Public IP> SSH <Internal Server IP> SSH netmask 255.255.255.255



    The OP's device is a PIX 501; PIX 501 do not support PIX 7.x.

    In PIX 6.1, PIX 6.2 and 6.3, you cannot use the PIX external IP itself
    in either the static command or the global command: instead you would
    use the keyword 'interface'.

    static (inside,outside) tcp interface SSH <Internal Server IP> SSH netmask 255.255.255.255
    global (outside) 1 interface


    >Create Acces-list
    >access-list OUT-2-IN permit tcp any interface eq 22


    This was valid for PIX 6.1, but in PIX 6.2 and PIX 6.3, ACLs
    must give an interface name after the keyword 'interface':

    access-list OUT-2-IN permit tcp any interface outside eq 22

    (I think I might have omitted the 'outside' in my own reply.)
    Walter Roberson, Aug 3, 2007
    #4
  5. Ender

    CK Guest

    On Aug 3, 10:48 am, (Walter Roberson) wrote:
    > In article <>,
    >
    > CK <> wrote:
    > >I suppose you are looking for redirecting services on external
    > >interface of PIX.
    > >NAT for incoming traffic
    > >PIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > >PIX(config)# global (outside) 1 <Public IP>

    >
    > You do not need a nat/global pair for incoming traffic.
    >
    > >Static command for SSH
    > >PIX(config)# static (inside,outside) tcp <Public IP> SSH <Internal Server IP> SSH netmask 255.255.255.255

    >
    > The OP's device is a PIX 501; PIX 501 do not support PIX 7.x.
    >
    > In PIX 6.1, PIX 6.2 and 6.3, you cannot use the PIX external IP itself
    > in either the static command or the global command: instead you would
    > use the keyword 'interface'.
    >
    > static (inside,outside) tcp interface SSH <Internal Server IP> SSH netmask 255.255.255.255
    > global (outside) 1 interface
    >
    > >Create Acces-list
    > >access-list OUT-2-IN permit tcp any interface eq 22

    >
    > This was valid for PIX 6.1, but in PIX 6.2 and PIX 6.3, ACLs
    > must give an interface name after the keyword 'interface':
    >
    > access-list OUT-2-IN permit tcp any interface outside eq 22
    >
    > (I think I might have omitted the 'outside' in my own reply.)


    Thanks Walter .. for correcting me
    I does not see the IOS information..
    CK, Aug 3, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Edwards

    Nat/Pat-problem with pix 501

    Martin Edwards, Jul 22, 2004, in forum: Cisco
    Replies:
    7
    Views:
    662
    Walter Roberson
    Jul 22, 2004
  2. Alex

    PIX 501 and inbound NAT/PAT

    Alex, Aug 10, 2004, in forum: Cisco
    Replies:
    2
    Views:
    1,100
  3. Replies:
    1
    Views:
    601
  4. Replies:
    4
    Views:
    6,752
    mostro
    Oct 29, 2005
  5. Jack
    Replies:
    0
    Views:
    667
Loading...

Share This Page