PIX 501 Incoming rule creation

Discussion in 'Cisco' started by Howard Beale, Jan 22, 2008.

  1. Howard Beale

    Howard Beale Guest

    Hi-

    I'm trying to create some inbound access rules on an old Pix 505 (Cisco PIX
    Firewall Version 6.3(3) Cisco PIX Device Manager Version 3.0(1), yes, all
    ancient).

    I don't work on PIXes very often, but when I add an inbound rule permitting
    traffic, the PIX prompts me that:

    "No static Network Address Translation (NAT) rule is configured for the
    destination host or network on interface outside. Would you like to add a
    static NAT rule for the host or network now?"

    What exactly do I have to add? I'm basically trying to map connections to
    port 4444, 4445, and 4446 to three internal servers (server 1 4444, 2 4445,
    etc) using the same outside (public) IP address.

    They have 4 public IPs, two are 1:1 NAT mapped to two other servers and
    client traffic is mapped to a third and the PIX external IP isn't used for
    anything.

    Thanks for any help.
     
    Howard Beale, Jan 22, 2008
    #1
    1. Advertisements

  2. There was no PIX 505. On the other hand, your Subject says 501 which
    does exist and is still sold.
    Not so ancient; the latest OS for that is one of the 6.3(5) versions.
    If the system owners are the registered owners of the PIX, they
    are entitled to a free upgrade to the latest 6.3(5) for the security
    fixes.

    static (inside,outside) tcp host PUBLICIP 4444 host SERVER1IP 4444
    static (inside,outside) tcp host PUBLICIP 4445 host SERVER2IP 4445
    static (inside,outside) tcp host PUBLICIP 4446 host SERVER3IP 4446

    and your access-list would look like

    access-list out2in permit tcp any host PUBLICIP range 4444 4446


    Note: the syntax would be slightly different if you were using
    the PIX outside IP as the destination IP for this traffic.
     
    Walter Roberson, Jan 22, 2008
    #2
    1. Advertisements

  3. Howard Beale

    Howard Beale Guest

    Whoops, sorry. I'm sure there's another 505 something on my mind.
    Thanks, I'll check into that.
    Can you tell me what that syntax would look like?

    Thanks!
     
    Howard Beale, Jan 22, 2008
    #3
  4. static (inside,outside) tcp interface 4444 host SERVER1IP 4444
    static (inside,outside) tcp interface 4445 host SERVER2IP 4445
    static (inside,outside) tcp interface 4446 host SERVER3IP 4446

    access-list out2in permit tcp any interface outside range 4444 4446


    That is, in ACLs, to designate the PIX outside IP itself,
    use the literal 'interface outside' instead of the IP; in static, use
    the literal 'interface' instead of the IP.
     
    Walter Roberson, Jan 22, 2008
    #4
  5. Howard Beale

    Howard Beale Guest

    Thanks much! That solves my problem nicely.

    I work with many vendor firewalls and FreeBSD ipfw stuff, but somehow the
    Pix never quite sinks in.
     
    Howard Beale, Jan 23, 2008
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.