[HELP] Cisco PIX 515 Port Forwarding

Discussion in 'Cisco' started by Corbin O'Reilly, Sep 26, 2003.

  1. Hi everyone. I have a Cisco PIX 515 and am trying to do a simple task. When
    somebody connects to an external IP address on a specific port I want it to
    direct to an internal IP on a different port. For example, if somebody
    connects to the external 215.152.16.8 on port 9386 I want it to map to port
    2516 on 192.168.1.8. I know the command to map the IP is:

    static (inside,outside) 215.152.16.8 192.168.1.8 netmask 255.255.255.255 0 0

    What is the command to redirect the ports? Does this command look right?

    static (inside,outside) tcp 215.152.16.8 9386 192.168.1.8 2516 netmask
    255.255.255.255 0 0

    Thanks for the help. Raven.
    Corbin O'Reilly, Sep 26, 2003
    #1
    1. Advertising

  2. In article <44Mcb.12492$>,
    Corbin O'Reilly <> wrote:
    :Hi everyone. I have a Cisco PIX 515 and am trying to do a simple task. When
    :somebody connects to an external IP address on a specific port I want it to
    :direct to an internal IP on a different port. For example, if somebody
    :connects to the external 215.152.16.8 on port 9386 I want it to map to port
    :2516 on 192.168.1.8. I know the command to map the IP is:

    :static (inside,outside) 215.152.16.8 192.168.1.8 netmask 255.255.255.255 0 0

    :What is the command to redirect the ports? Does this command look right?

    :static (inside,outside) tcp 215.152.16.8 9386 192.168.1.8 2516 netmask 255.255.255.255 0 0

    Looks right to me.

    You will of course need an access-list permitting the traffic,
    applied to the outside interface via the 'access-group' command.
    --
    "WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
    WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
    Walter Roberson, Sep 26, 2003
    #2
    1. Advertising

  3. Corbin O'Reilly

    Rik Bain Guest

    On Sat, 27 Sep 2003 02:39:25 +0600, Walter Roberson wrote:

    > The extended version of 'static' has been supported since PIX 6.0(1),
    > and Cisco has been recommending against using 'conduit' since PIX 5.1(2)
    > or so. Cisco does not promise that conduits will function properly with
    > PIX 6 features such as port forwarding. I would highly recommend that
    > you use access-list and access-group instead.



    Just to add to Walter's statement, the release notes for 6.3.3 state that
    it is the last major release to support conduit.

    Rik Bain
    Rik Bain, Sep 26, 2003
    #3
  4. Thanks for the reply. Please let me know if these are the commands I need to
    add.

    static (inside,outside) tcp 215.152.16.8 9386 192.168.1.8 2516 netmask
    255.255.255.255 0 0
    conduit permit tcp host 215.152.16.8 eq 9386 any

    I appreciate the help.


    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bl0ecl$7v2$...
    > In article <44Mcb.12492$>,
    > Corbin O'Reilly <> wrote:
    > :Hi everyone. I have a Cisco PIX 515 and am trying to do a simple task.

    When
    > :somebody connects to an external IP address on a specific port I want it

    to
    > :direct to an internal IP on a different port. For example, if somebody
    > :connects to the external 215.152.16.8 on port 9386 I want it to map to

    port
    > :2516 on 192.168.1.8. I know the command to map the IP is:
    >
    > :static (inside,outside) 215.152.16.8 192.168.1.8 netmask 255.255.255.255

    0 0
    >
    > :What is the command to redirect the ports? Does this command look right?
    >
    > :static (inside,outside) tcp 215.152.16.8 9386 192.168.1.8 2516 netmask

    255.255.255.255 0 0
    >
    > Looks right to me.
    >
    > You will of course need an access-list permitting the traffic,
    > applied to the outside interface via the 'access-group' command.
    > --
    > "WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
    > WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
    Corbin O'Reilly, Sep 26, 2003
    #4
  5. In article <jT%cb.7189$>,
    Corbin O'Reilly <> wrote:
    :Thanks for the reply. Please let me know if these are the commands I need to
    :add.

    :static (inside,outside) tcp 215.152.16.8 9386 192.168.1.8 2516 netmask 255.255.255.255 0 0
    :conduit permit tcp host 215.152.16.8 eq 9386 any

    The extended version of 'static' has been supported since PIX 6.0(1),
    and Cisco has been recommending against using 'conduit' since PIX 5.1(2)
    or so. Cisco does not promise that conduits will function properly with
    PIX 6 features such as port forwarding. I would highly recommend
    that you use access-list and access-group instead.
    --
    And the wind keeps blowing the angel / Backwards into the future /
    And this wind, this wind / Is called / Progress.
    -- Laurie Anderson
    Walter Roberson, Sep 26, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Renaud
    Replies:
    2
    Views:
    2,552
    Renaud
    Feb 20, 2004
  2. Andras Kende
    Replies:
    1
    Views:
    7,073
    Walter Roberson
    Apr 29, 2004
  3. Rodney Hall
    Replies:
    9
    Views:
    8,398
    Walter Roberson
    Jan 13, 2005
  4. Replies:
    10
    Views:
    1,599
  5. Scott Townsend
    Replies:
    8
    Views:
    689
    Roman Nakhmanson
    Feb 22, 2006
Loading...

Share This Page