[c-nsp] adding a port forward on a Cisco Pix

Tony td_miles at yahoo.com
Wed Jul 15 21:52:46 EDT 2009 

Hi Scott,

For your NAT to work you need to things:
1. static command
2. Access-list

> static (outside,inside) tcp general-internet-rtr-svc-nat 80 inside-ip-object 80 netmask 255.255.255.255 0 0

You have it round the wrong way, you would need:

  static (inside,outside) tcp outside_ip outside_port inside_ip inside_port

It's confusing but the bit in brackets (for the interfaces) has inside first and outside second and then when you specify the IP addresses and ports you have outside first, then inside second.

And then you would need an ACL like this:

  access-list 101 permit tcp any host outside_ip outside_port

And then you need to apply the ACL to inbound traffic on the outside interface:

  access-group 101 in interface outside


I don't know about using object groups to specify the IP addresses, it should work as long as you've got it correct. I would try with putting the actual IP addresses in the commands and then once you know it works you can change them to objects.

You can find a list of PIX configuration examples here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
http://tinyurl.com/3o7gk

One specifically for NAT is:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml
http://tinyurl.com/yqeap

Make sure you follow which parts are for earlier PIX versions and your version. The earlier versions use the "conduit" command instead of an access list.


regards,
Tony

--- On Thu, 16/7/09, Scott Granados <gsgranados at comcast.net> wrote:

> From: Scott Granados <gsgranados at comcast.net>
> Subject: [c-nsp] adding a port forward on a Cisco Pix
> To: cisco-nsp at puck.nether.net
> Date: Thursday, 16 July, 2009, 7:52 AM
> Hi, so I've started working with the
> Pix and am trying to forward port 80 and 443 in from an
> outside facing address to a 10.x space inside.  I have
> two basic interfaces (outside and inside) and am running Pix
> 6.3 for firmware.
> 
> I was thinking the following line would work but wasn't
> sure if I formatted it correctly.
> 
> static (outside,inside) tcp general-internet-rtr-svc-nat 80
> inside-ip-object 80 netmask 255.255.255.255 0 0
> 
> general-internet-rtr-svc-nat is an object group name that
> contains a network-object-host with the outside static IP
> defined.
> 
> Is this more or less correct?  Should I invert the
> address objects or are they in the proper order?  Any
> basic pointers or pointers to good examples would be
> appreciated.
> 
> Thank you
> Scott
> 
>

More information about the cisco-nsp mailing list