How to I forward a port (3389) to a PC (192.168.1.5) in a NAT environment in Pix (6.2)?

Discussion in 'Cisco' started by swsw, Jul 28, 2005.

  1. swsw

    swsw Guest

    Any suggestions on command?
    swsw, Jul 28, 2005
    #1
    1. Advertising

  2. In article <>,
    swsw <> wrote:
    :Any suggestions on command?

    static (inside,outside) udp XX.XX.XX.XX 3389 192.168.1.5 3389 netmask 255.255.255.255

    OR

    static (inside,outside) udp interface 3389 192.168.1.5 3389 netmask 255.255.255.255

    --
    "Never install telephone wiring during a lightning storm." -- Linksys
    Walter Roberson, Jul 28, 2005
    #2
    1. Advertising

  3. swsw

    swsw Guest

    Thanks. But do I need any access-list or "fixup protocols"? If yes, how
    do I put it?
    swsw, Jul 28, 2005
    #3
  4. In article <>,
    swsw <> wrote:
    :Thanks. But do I need any access-list or "fixup protocols"? If yes, how
    :do I put it?

    You do not need any 'fixup'. You -will- need an access-list and
    access-group.

    My memory of the details of PIX 6.2 is starting to fade a bit
    and the documentation is a bit weak on some points. My
    recollection is that if the packets will be addressed to teh PIX
    outside interface, that the ACL entry you would need
    would be similar to

    access-list outside2inside permit udp any interface eq 3389

    but you might instead need

    access-list outside2inside permit udp any interface outside eq 3389

    The documentation does not indicate that the 'interface' keyword
    existed in 6.2, but my recollection is that it did.

    If you do not (or cannot) use the interface keyword in the ACL, then
    if your PIX's public IP is your only IP, the next choice would be

    access-list outside2inside permit udp any any eq 3389

    If the PIX does not recognize the 'interface' keyword in ACLs
    and you need to be more specific about the destination IP
    (because you have other IPs) and it is the Interface IP that
    you want the port to be forwarded for, then you could try

    access-list outside2inside permit udp any host XX.XX.XX.XX eq 3389

    where XX.XX.XX.XX is the pubic IP. This will NOT work properly
    in PIX 6.3!! (It also will not work properly in PIX 5.x, as
    PIX 5.x does not allow forwarding of PIX interface-IP ports.)


    Whatever ACL entry you end up using, you will need

    access-group outside2inside in interface outside


    Note: you should check first with show access-group
    as you might already have an existing access-list on the outside
    interface.
    --
    This signature intentionally left... Oh, darn!
    Walter Roberson, Jul 28, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nigel Day

    192.168.1.1 wont work

    Nigel Day, Sep 8, 2005, in forum: Wireless Networking
    Replies:
    4
    Views:
    12,572
    heydude95
    Nov 22, 2009
  2. hoser
    Replies:
    2
    Views:
    988
    hoser
    Apr 15, 2005
  3. nero

    192.168.1.3

    nero, Dec 8, 2003, in forum: MCSD
    Replies:
    7
    Views:
    95,575
    vivek
    Dec 10, 2003
  4. steve h.

    Black Ice 3.5cbf warning about 192.168.0.1

    steve h., Jul 1, 2004, in forum: Computer Security
    Replies:
    4
    Views:
    743
    rello
    Oct 28, 2004
  5. Scooty
    Replies:
    0
    Views:
    1,676
    Scooty
    Mar 8, 2007
Loading...

Share This Page