trying to setup 501 with missing frontal lobe

Discussion in 'Cisco' started by peter breugle, May 4, 2004.

  1. Using PDM is driving me crazy. If I understood Cisco better it might be
    a more useful tool.

    Someone please validate my understanding:

    Given a single external address:
    Port mapping takes place on the external interface e.g.. 8080->80
    service is mapped from external interface to internal e.g. www to
    internal static address. Is this correct?

    I have created hostnames for my static internal systems to make mapping
    easier. If I understand this correctly, I can change the static internal
    addresses and all of the rules that I have set using the hostnames will
    follow (nice!). Am I using this for the intended purpose?

    My external address static butnot fixed. My ISP(RCN CABLE) will reboot
    their routers once a quarter or so and I get a new external address. I
    can't seem to create an network name for the external address created
    via DHCP on the external interface. This would seem very useful since
    the external address will change from time to time. If I understand it
    correctly, I need to have a name or address for the external address
    (single address) so that I can map services. I can't seem to do this in
    the PDM, but could under CLI right?

    Am I better off skipping the PDM and using it only for monitoring and
    graphing? I've already found it easier to set up telnet/ssh etc from the
    CLI - and I don't even (I guess this is obvious) know what I am doing.

    Please understand, that my goal here is not to be a IOS guru. I am just
    trying to get a better firewall and function in place than my previous
    toy linksys.

    Here is an example of a CLI atttempt at port forwarding. I can see the
    traffic is coming in, but it doesn't work: (external address fake)

    mypix# access-list 101 permit tcp any host 207.236.23.30 eq 8080
    mypix# ip address (outside) 1 207.236.23.30
    mypix# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    mypix# static (inside, outside) tcp 207.236.23.30 8080 192.168.1.11 www
    netmask
    mypix# acccess-group 101 in interface outside
    mypix# access-list 101 permit tcp any host 207.236.23.30 eq 8080
    mypix# acccess-group 101 in interface outside
    mypix# access-list 101 permit tcp any host 207.236.23.30 eq 8080
    mypix# static (inside, outside) tcp 207.237.0.30 8080 192.168.1.10 www
    netmask 255.255.255.255 0 0

    As a side note. I do plan to shift my internal addresses to another
    range so that they won't collide with another system using VPN. I assume
    using hotnames will make that easier.



    - p -
     
    peter breugle, May 4, 2004
    #1
    1. Advertisements

  2. :Using PDM is driving me crazy.

    :Given a single external address:
    :port mapping takes place on the external interface e.g.. 8080->80
    :service is mapped from external interface to internal e.g. www to
    :internal static address. Is this correct?

    If configured that way, yes.


    :I have created hostnames for my static internal systems to make mapping
    :easier. If I understand this correctly, I can change the static internal
    :addresses and all of the rules that I have set using the hostnames will
    :follow (nice!). Am I using this for the intended purpose?

    I don't know whether that's true in PDM. If you were to go in through
    the CLI and were to change the IP address associated with that 'name'
    command, then the rest of the configuration would continue to reflect
    the old IP. I'm almost always working through the CLI, so I keep my
    config in a text file and use "config net" to tftp it in. That way,
    whatever IP address I have associated with the 'name' will be applied
    for the rest of the config.


    :My external address static butnot fixed. My ISP(RCN CABLE) will reboot
    :their routers once a quarter or so and I get a new external address. I
    :can't seem to create an network name for the external address created
    :via DHCP on the external interface. This would seem very useful since
    :the external address will change from time to time. If I understand it
    :correctly, I need to have a name or address for the external address
    :(single address) so that I can map services.

    No. In the CLI, you would use the keyword 'interface' in place of
    an IP address in any command (such as 'static') that mentions an
    interface by name, and [as of 6.3(3)] you would use the
    keyword 'interface outside' in ACLs.


    :Here is an example of a CLI atttempt at port forwarding. I can see the
    :traffic is coming in, but it doesn't work: (external address fake)

    :mypix# static (inside, outside) tcp 207.236.23.30 8080 192.168.1.11 www netmask

    static (inside, outside) tcp interface 8080 192.168.1.11 www netmask ...

    :mypix# acccess-group 101 in interface outside
    :mypix# access-list 101 permit tcp any host 207.236.23.30 eq 8080

    You should define the access-list before you try to 'access-group' it.

    access-list 101 permit tcp any interface outside eq 8080

    Or in the case (such as yours) where only one IP address reaches the PIX,

    access-list 101 permit tcp any any eq 8080
     
    Walter Roberson, May 4, 2004
    #2
    1. Advertisements

  3. I tried your suggestion and it makes sense. I am still getting no joy,
    but I think I have some other sludge that is getting in the way. In any
    case your suggestion makes sense and helps me to go back to the sludge
    that may be at fault

    thanks
     
    peter breugle, May 5, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.