[c-nsp] static Nat on Non Standard TCP port on PIX 506

Howard Leadmon howard at leadmon.net
Thu Jul 19 13:34:58 EDT 2007 

Your static translations don't look right, I would remove them and try
something like this:

static (inside,outside) tcp interface 7778 192.168.1.5 7778 netmask
255.255.255.255 0 0

Also your inbound ACL should read:

access-list INBOUND permit tcp any host 192.168.1.5 eq 7778


The real big question is, if your on another LAN trying to get to the server
behind the PIX, and your IP is 10.1.1.2.  Then your end is being translated as
well, or you better have a VPN to route the two private networks together..


---
Howard Leadmon 
http://www.leadmon.net


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Peter Nyamukusa
> Sent: Thursday, July 19, 2007 8:21 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] static Nat on Non Standard TCP port on PIX 506
> 
> 
> Hi guys,
> 
> I am trying to allow external access to an oracle web server sitting on a
> private IP behind a PIX 506
> The public ip is 2.2.2.2 and the private IP of the server is 192.168.1.5 and
> the application is running on port 7778
> I am access the server from a source ip 10.1.1.2 but its not working any
> pointers in the right direction?
> 
> My config is as below:
> 
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list INBOUND permit tcp any host 10.1.1.2 eq 7778
> 
> < Ommitted >
> 
> static (inside,outside) tcp interface 7778 2.2.2.2.2. 7778 netmask
> 255.255.255.255 0 0
> static (inside,outside) 2.2.2.2 192.168.1.5 netmask 255.255.255.255 0 0
> access-group INBOUND in interface outside
> route outside 0.0.0.0 0.0.0.0 1.1.1.1
> 
> 
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list