PIX 501 Incoming rule creation

Discussion in 'Cisco' started by Howard Beale, Jan 22, 2008.

  1. Howard Beale

    Howard Beale Guest

    Hi-

    I'm trying to create some inbound access rules on an old Pix 505 (Cisco PIX
    Firewall Version 6.3(3) Cisco PIX Device Manager Version 3.0(1), yes, all
    ancient).

    I don't work on PIXes very often, but when I add an inbound rule permitting
    traffic, the PIX prompts me that:

    "No static Network Address Translation (NAT) rule is configured for the
    destination host or network on interface outside. Would you like to add a
    static NAT rule for the host or network now?"

    What exactly do I have to add? I'm basically trying to map connections to
    port 4444, 4445, and 4446 to three internal servers (server 1 4444, 2 4445,
    etc) using the same outside (public) IP address.

    They have 4 public IPs, two are 1:1 NAT mapped to two other servers and
    client traffic is mapped to a third and the PIX external IP isn't used for
    anything.

    Thanks for any help.
     
    Howard Beale, Jan 22, 2008
    #1
    1. Advertising

  2. In article <>,
    Howard Beale <> wrote:
    >I'm trying to create some inbound access rules on an old Pix 505


    There was no PIX 505. On the other hand, your Subject says 501 which
    does exist and is still sold.

    >(Cisco PIX
    >Firewall Version 6.3(3) Cisco PIX Device Manager Version 3.0(1), yes, all
    >ancient).


    Not so ancient; the latest OS for that is one of the 6.3(5) versions.
    If the system owners are the registered owners of the PIX, they
    are entitled to a free upgrade to the latest 6.3(5) for the security
    fixes.


    >I don't work on PIXes very often, but when I add an inbound rule permitting
    >traffic, the PIX prompts me that:


    >"No static Network Address Translation (NAT) rule is configured for the
    >destination host or network on interface outside. Would you like to add a
    >static NAT rule for the host or network now?"


    >What exactly do I have to add? I'm basically trying to map connections to
    >port 4444, 4445, and 4446 to three internal servers (server 1 4444, 2 4445,
    >etc) using the same outside (public) IP address.


    >They have 4 public IPs, two are 1:1 NAT mapped to two other servers and
    >client traffic is mapped to a third and the PIX external IP isn't used for
    >anything.


    static (inside,outside) tcp host PUBLICIP 4444 host SERVER1IP 4444
    static (inside,outside) tcp host PUBLICIP 4445 host SERVER2IP 4445
    static (inside,outside) tcp host PUBLICIP 4446 host SERVER3IP 4446

    and your access-list would look like

    access-list out2in permit tcp any host PUBLICIP range 4444 4446


    Note: the syntax would be slightly different if you were using
    the PIX outside IP as the destination IP for this traffic.
     
    Walter Roberson, Jan 22, 2008
    #2
    1. Advertising

  3. Howard Beale

    Howard Beale Guest

    Walter Roberson wrote:
    > There was no PIX 505. On the other hand, your Subject says 501 which
    > does exist and is still sold.


    Whoops, sorry. I'm sure there's another 505 something on my mind.

    > Not so ancient; the latest OS for that is one of the 6.3(5) versions.


    Thanks, I'll check into that.

    > static (inside,outside) tcp host PUBLICIP 4444 host SERVER1IP 4444
    > static (inside,outside) tcp host PUBLICIP 4445 host SERVER2IP 4445
    > static (inside,outside) tcp host PUBLICIP 4446 host SERVER3IP 4446
    >
    > and your access-list would look like
    >
    > access-list out2in permit tcp any host PUBLICIP range 4444 4446
    >
    >
    > Note: the syntax would be slightly different if you were using
    > the PIX outside IP as the destination IP for this traffic.


    Can you tell me what that syntax would look like?

    Thanks!
     
    Howard Beale, Jan 22, 2008
    #3
  4. In article <>,
    Howard Beale <> wrote:
    >Walter Roberson wrote:


    >> static (inside,outside) tcp host PUBLICIP 4444 host SERVER1IP 4444
    >> static (inside,outside) tcp host PUBLICIP 4445 host SERVER2IP 4445
    >> static (inside,outside) tcp host PUBLICIP 4446 host SERVER3IP 4446


    >> access-list out2in permit tcp any host PUBLICIP range 4444 4446


    >> Note: the syntax would be slightly different if you were using
    >> the PIX outside IP as the destination IP for this traffic.


    >Can you tell me what that syntax would look like?


    static (inside,outside) tcp interface 4444 host SERVER1IP 4444
    static (inside,outside) tcp interface 4445 host SERVER2IP 4445
    static (inside,outside) tcp interface 4446 host SERVER3IP 4446

    access-list out2in permit tcp any interface outside range 4444 4446


    That is, in ACLs, to designate the PIX outside IP itself,
    use the literal 'interface outside' instead of the IP; in static, use
    the literal 'interface' instead of the IP.
     
    Walter Roberson, Jan 22, 2008
    #4
  5. Howard Beale

    Howard Beale Guest

    Walter Roberson wrote:

    > Can you tell me what that syntax would look like?
    >
    > static (inside,outside) tcp interface 4444 host SERVER1IP 4444
    > static (inside,outside) tcp interface 4445 host SERVER2IP 4445
    > static (inside,outside) tcp interface 4446 host SERVER3IP 4446
    >
    > access-list out2in permit tcp any interface outside range 4444 4446
    >
    >
    > That is, in ACLs, to designate the PIX outside IP itself,
    > use the literal 'interface outside' instead of the IP; in static, use
    > the literal 'interface' instead of the IP.


    Thanks much! That solves my problem nicely.

    I work with many vendor firewalls and FreeBSD ipfw stuff, but somehow the
    Pix never quite sinks in.
     
    Howard Beale, Jan 23, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric Sabine

    default outbound rule in a PIX 501

    Eric Sabine, Oct 17, 2003, in forum: Cisco
    Replies:
    2
    Views:
    1,609
    Walter Roberson
    Oct 17, 2003
  2. Mark Simons
    Replies:
    1
    Views:
    2,522
    Walter Roberson
    Jan 27, 2005
  3. Andre
    Replies:
    7
    Views:
    736
    Andre
    Feb 20, 2005
  4. Replies:
    1
    Views:
    1,302
    Digital Photography Now
    Oct 4, 2005
  5. sam.mattern
    Replies:
    0
    Views:
    2,189
    sam.mattern
    Jan 11, 2010
Loading...

Share This Page