[c-nsp] adding a port forward on a Cisco Pix
Scott Granados
gsgranados at comcast.net
Thu Jul 16 12:15:17 EDT 2009
Tony, this is perfect thank you.
Huge help!
----- Original Message -----
From: "Tony" <td_miles at yahoo.com>
To: <cisco-nsp at puck.nether.net>; "Scott Granados" <gsgranados at comcast.net>
Sent: Wednesday, July 15, 2009 6:52 PM
Subject: Re: [c-nsp] adding a port forward on a Cisco Pix
Hi Scott,
For your NAT to work you need to things:
1. static command
2. Access-list
> static (outside,inside) tcp general-internet-rtr-svc-nat 80
> inside-ip-object 80 netmask 255.255.255.255 0 0
You have it round the wrong way, you would need:
static (inside,outside) tcp outside_ip outside_port inside_ip inside_port
It's confusing but the bit in brackets (for the interfaces) has inside first
and outside second and then when you specify the IP addresses and ports you
have outside first, then inside second.
And then you would need an ACL like this:
access-list 101 permit tcp any host outside_ip outside_port
And then you need to apply the ACL to inbound traffic on the outside
interface:
access-group 101 in interface outside
I don't know about using object groups to specify the IP addresses, it
should work as long as you've got it correct. I would try with putting the
actual IP addresses in the commands and then once you know it works you can
change them to objects.
You can find a list of PIX configuration examples here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
http://tinyurl.com/3o7gk
One specifically for NAT is:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml
http://tinyurl.com/yqeap
Make sure you follow which parts are for earlier PIX versions and your
version. The earlier versions use the "conduit" command instead of an access
list.
regards,
Tony
--- On Thu, 16/7/09, Scott Granados <gsgranados at comcast.net> wrote:
> From: Scott Granados <gsgranados at comcast.net>
> Subject: [c-nsp] adding a port forward on a Cisco Pix
> To: cisco-nsp at puck.nether.net
> Date: Thursday, 16 July, 2009, 7:52 AM
> Hi, so I've started working with the
> Pix and am trying to forward port 80 and 443 in from an
> outside facing address to a 10.x space inside. I have
> two basic interfaces (outside and inside) and am running Pix
> 6.3 for firmware.
>
> I was thinking the following line would work but wasn't
> sure if I formatted it correctly.
>
> static (outside,inside) tcp general-internet-rtr-svc-nat 80
> inside-ip-object 80 netmask 255.255.255.255 0 0
>
> general-internet-rtr-svc-nat is an object group name that
> contains a network-object-host with the outside static IP
> defined.
>
> Is this more or less correct? Should I invert the
> address objects or are they in the proper order? Any
> basic pointers or pointers to good examples would be
> appreciated.
>
> Thank you
> Scott
>
>
More information about the cisco-nsp
mailing list