help with port forwarding with PIX 515E

Discussion in 'Cisco' started by KarimMTI, Mar 24, 2008.

  1. KarimMTI

    KarimMTI Guest

    I need some assistance with port forwarding on my pix 515E. I need to
    forward port 6100 to my file server, but i can't get it to work. Can
    anyone help me with this? The pix is on version 6.3(1)


    this is what i have now:

    static (inside,outside) tcp x.x.x.x 6100 192.168.1.12 6100 netmask
    255.255.255.255 0 0
    access-list outside permit tcp any host x.x.x.x eq 6100

    thanks in advance
     
    KarimMTI, Mar 24, 2008
    #1
    1. Advertisements

  2. Note: 6.3(1) through 6.3(5) have security problems sufficient that
    if you are the registered owner of the system (e.g., not an ebay
    acquisition) then you are entitled to a free upgrade to a later 6.3(5)*
    rebuild.

    And of course

    access-group outside in interface outside

    The above syntax would work provided that host x.x.x.x was NOT
    the same as the external interface IP address. If you are trying
    to NAT the external interface IP address, you would need to use

    static (inside,outside) tcp interface 6100 192.168.1.12 6100 netmask 255.255.255.255 0 0
    access-list outside permit tcp any interface outside eq 6100
    access-group outside in interface outside

    The word 'interface' and 'interface outside' there are literals.

    The requirement to use 'interface' changed in 7.0, I understand.
     
    Walter Roberson, Mar 24, 2008
    #2
    1. Advertisements

  3. KarimMTI

    KarimMTI Guest


    first let me mention by saying, if its not already obvious, that my
    knowledge of cisco is limited...so with that being said...

    i don't understand when you say "host x.x.x.x should NOT be same as
    external interface IP address". what should it be then?

    there is a static route plugged in: static (inside,outside) x.x.x.x
    192.168.1.12 netmask 255.255.255.255 0 0

    so i thought that x.x.x.x should be the same for "access-list outside
    permit tcp any host x.x.x.x eq 6100"
     
    KarimMTI, Mar 24, 2008
    #3
  4. I am saying that in PIX 6, if the IP address you are trying to NAT
    into is the IP address of the PIX external interface, then you cannot
    use the commands you had, and instead need to use the slightly different
    commands I showed (that use the keywords 'interface' instead of
    the interface IP address.)

    If the IP address you are trying to NAT into is -different- than
    the PIX external interface IP address, then the commands you had
    are fine (provided you have "access-group outside in interface outside").
     
    Walter Roberson, Mar 25, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.