[c-nsp] static Nat on Non Standard TCP port on PIX 506

Michael K. Smith - Adhost mksmith at adhost.com
Thu Jul 19 12:34:34 EDT 2007


Hello Peter:

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Peter Nyamukusa
> Sent: Thursday, July 19, 2007 5:21 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] static Nat on Non Standard TCP port on PIX 506
> 
> 
> Hi guys,
> 
> I am trying to allow external access to an oracle web server sitting
on
> a
> private IP behind a PIX 506
> The public ip is 2.2.2.2 and the private IP of the server is
> 192.168.1.5 and
> the application is running on port 7778
> I am access the server from a source ip 10.1.1.2 but its not working
> any
> pointers in the right direction?
> 
> My config is as below:
> 
<snip>
> static (inside,outside) tcp interface 7778 2.2.2.2.2. 7778 netmask
> 255.255.255.255 0 0
> static (inside,outside) 2.2.2.2 192.168.1.5 netmask 255.255.255.255 0
0
> access-group INBOUND in interface outside
> route outside 0.0.0.0 0.0.0.0 1.1.1.1
> 

You cannot have more than one static to the same address per
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.h
tml#wp1026694 under "static".  If the traffic is coming into a single IP
address, why not do this?

static (inside,outside) 2.2.2.2 198.168.1.5
access-list INBOUND permit tcp any host 2.2.2.2 eq 7778

and remove:

static (inside,outside) tcp interface 7778 2.2.2.2.2. 7778

Regards,

Mike




More information about the cisco-nsp mailing list