help with port forwarding with PIX 515E

Discussion in 'Cisco' started by KarimMTI, Mar 24, 2008.

  1. KarimMTI

    KarimMTI Guest

    I need some assistance with port forwarding on my pix 515E. I need to
    forward port 6100 to my file server, but i can't get it to work. Can
    anyone help me with this? The pix is on version 6.3(1)


    this is what i have now:

    static (inside,outside) tcp x.x.x.x 6100 192.168.1.12 6100 netmask
    255.255.255.255 0 0
    access-list outside permit tcp any host x.x.x.x eq 6100

    thanks in advance
     
    KarimMTI, Mar 24, 2008
    #1
    1. Advertising

  2. In article <>,
    KarimMTI <> wrote:
    >I need some assistance with port forwarding on my pix 515E. I need to
    >forward port 6100 to my file server, but i can't get it to work. Can
    >anyone help me with this? The pix is on version 6.3(1)


    Note: 6.3(1) through 6.3(5) have security problems sufficient that
    if you are the registered owner of the system (e.g., not an ebay
    acquisition) then you are entitled to a free upgrade to a later 6.3(5)*
    rebuild.


    >this is what i have now:


    >static (inside,outside) tcp x.x.x.x 6100 192.168.1.12 6100 netmask
    >255.255.255.255 0 0
    >access-list outside permit tcp any host x.x.x.x eq 6100


    And of course

    access-group outside in interface outside

    The above syntax would work provided that host x.x.x.x was NOT
    the same as the external interface IP address. If you are trying
    to NAT the external interface IP address, you would need to use

    static (inside,outside) tcp interface 6100 192.168.1.12 6100 netmask 255.255.255.255 0 0
    access-list outside permit tcp any interface outside eq 6100
    access-group outside in interface outside

    The word 'interface' and 'interface outside' there are literals.

    The requirement to use 'interface' changed in 7.0, I understand.
     
    Walter Roberson, Mar 24, 2008
    #2
    1. Advertising

  3. KarimMTI

    KarimMTI Guest

    On Mar 24, 3:14 pm, (Walter Roberson) wrote:
    > In article <>,
    >
    > KarimMTI <> wrote:
    > >I need some assistance with port forwarding on my pix 515E. I need to
    > >forward port 6100 to my file server, but i can't get it to work. Can
    > >anyone help me with this? The pix is on version 6.3(1)

    >
    > Note: 6.3(1) through 6.3(5) have security problems sufficient that
    > if you are the registered owner of the system (e.g., not an ebay
    > acquisition) then you are entitled to a free upgrade to a later 6.3(5)*
    > rebuild.
    >
    > >this is what i have now:
    > >static (inside,outside) tcp x.x.x.x 6100 192.168.1.12 6100 netmask
    > >255.255.255.255 0 0
    > >access-list outside permit tcp any host x.x.x.x eq 6100

    >
    > And of course
    >
    > access-group outside in interface outside
    >
    > The above syntax would work provided that host x.x.x.x was NOT
    > the same as the external interface IP address. If you are trying
    > to NAT the external interface IP address, you would need to use
    >
    > static (inside,outside) tcp interface 6100 192.168.1.12 6100 netmask 255.255.255.255 0 0
    > access-list outside permit tcp any interface outside eq 6100
    > access-group outside in interface outside
    >
    > The word 'interface' and 'interface outside' there are literals.
    >
    > The requirement to use 'interface' changed in 7.0, I understand.



    first let me mention by saying, if its not already obvious, that my
    knowledge of cisco is limited...so with that being said...

    i don't understand when you say "host x.x.x.x should NOT be same as
    external interface IP address". what should it be then?

    there is a static route plugged in: static (inside,outside) x.x.x.x
    192.168.1.12 netmask 255.255.255.255 0 0

    so i thought that x.x.x.x should be the same for "access-list outside
    permit tcp any host x.x.x.x eq 6100"
     
    KarimMTI, Mar 24, 2008
    #3
  4. In article <>,
    KarimMTI <> wrote:

    >i don't understand when you say "host x.x.x.x should NOT be same as
    >external interface IP address". what should it be then?


    I am saying that in PIX 6, if the IP address you are trying to NAT
    into is the IP address of the PIX external interface, then you cannot
    use the commands you had, and instead need to use the slightly different
    commands I showed (that use the keywords 'interface' instead of
    the interface IP address.)

    If the IP address you are trying to NAT into is -different- than
    the PIX external interface IP address, then the commands you had
    are fine (provided you have "access-group outside in interface outside").
     
    Walter Roberson, Mar 25, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Corbin O'Reilly

    [HELP] Cisco PIX 515 Port Forwarding

    Corbin O'Reilly, Sep 26, 2003, in forum: Cisco
    Replies:
    4
    Views:
    8,269
    Walter Roberson
    Sep 26, 2003
  2. Rodney Hall
    Replies:
    9
    Views:
    8,501
    Walter Roberson
    Jan 13, 2005
  3. Sascha E. Pollok

    Quick help: PIX 501 and Port Forwarding

    Sascha E. Pollok, Aug 9, 2006, in forum: Cisco
    Replies:
    3
    Views:
    3,578
    Sascha E. Pollok
    Aug 9, 2006
  4. Replies:
    10
    Views:
    3,057
    dclarolh
    Oct 1, 2006
  5. valtron78

    Help in port forwarding PIX 515E

    valtron78, Jun 23, 2008, in forum: Cisco
    Replies:
    2
    Views:
    899
    valtron78
    Jun 30, 2008
Loading...

Share This Page