what does this mean ? (inside,outside)
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by on October 2, 2006, 1:06 pm
Please log in for more thread options Just have a quick question. What is (inside,outside) in a command line like this? static (inside,outside) tcp interface ...... ?? Regards Henrik | |||||||||||||||||||
|
Posted by Walter Roberson on October 2, 2006, 2:17 pm
Please log in for more thread options >static (inside,outside) tcp interface ...... ??
Those are interface names as given by nameif commands. The meaning is that if a packet arrives at the interface named first, going to the interface named second, and the packet matches the specification given on the *end* of the line (not the middle!), then the -source- IP address and port should be translated and the destination IP and port should be left alone; and if a packet arrives at the second interface named, headed for the first interface named, and the packet matches the specification given in the *middle* of the line, then the -destination- IP address and port should be translated and the source IP and port should be left alone. | |||||||||||||||||||
|
Posted by on October 2, 2006, 2:32 pm
Please log in for more thread options But i still don't understand it. Why are there thies ( ) around
inside,outside) ? So inside, outside in this will mean ..? static (inside,outisde) tcp interface 3389 inside ip 3389 netmask 255.255.255.255 sorry i'm really trying to understand it :) Walter Roberson skrev: >
> >Just have a quick question.
> >What is (inside,outside) in a command line like this? >
> >static (inside,outside) tcp interface ...... ??
>
> Those are interface names as given by nameif commands. > > The meaning is that if a packet arrives at the interface named > first, going to the interface named second, and the packet matches > the specification given on the *end* of the line (not the middle!), > then the -source- IP address and port should be translated and the > destination IP and port should be left alone; and if a packet arrives > at the second interface named, headed for the first interface named, > and the packet matches the specification given in the *middle* of the > line, then the -destination- IP address and port should be translated > and the source IP and port should be left alone. | |||||||||||||||||||
|
Posted by Walter Roberson on October 2, 2006, 2:52 pm
Please log in for more thread options >But i still don't understand it. Why are there thies ( ) around
>inside,outside) ? Why not? :) Cisco can invent any syntax it likes. But in answer to the question: the interface pair is optional in the syntax. The documentation is not clear, but the default is probably (inside,outside) . The () tells the parser that the interface pair was included. >So inside, outside in this will mean ..?
255.255.255.255
>static (inside,outisde) tcp interface 3389 inside ip 3389 netmask That "inside ip" should be replaced with a single internal IP address such as, static (inside,outisde) tcp interface 3389 192.168.111.222 3389 netmask 255.255.255.255 The word 'interface' is a special keyword and means "the IP address of the interface we are talking about". Tne above means "If a packet arrives on the outside interface with a destination IP which is the same as the PIX's outside IP, and the packet is a TCP packet and the destination port is 3389, then the packet should be rewritten so that the destination is port 3389 on address 192.168.111.222 of the inside interface.". It also means (at the same time), "If a packet arrives on the inside interface with a source IP of 192.168.111.222 and a source port of 3389 then the packet should be rewritten so that the source port is 3389 and the source IP is the IP of the PIX's outside interface." The confusing part of this is that the first part after the ) corresponds to the specification for the -second- interface listed, and the -second- part after the ) corresponds to the specification for the -first- interface listed: static (FIRST,SECOND) SECOND FIRST | |||||||||||||||||||
|
Posted by on October 2, 2006, 4:02 pm
Please log in for more thread options Thnaks for the answer :)
So can you help me with my next problem ? I would like to setup af port forwording for my vnc. How do i do that ? I got a pix 501 Walter Roberson skrev: > >But i still don't understand it. Why are there thies ( ) around
> >inside,outside) ? >
> Why not? :) Cisco can invent any syntax it likes. > > But in answer to the question: the interface pair is optional > in the syntax. The documentation is not clear, but the default > is probably (inside,outside) . The () tells the parser that the > interface pair was included. > > >So inside, outside in this will mean ..?
255.255.255.255
> >static (inside,outisde) tcp interface 3389 inside ip 3389 netmask >
255.255.255.255
> That "inside ip" should be replaced with a single internal IP address > such as, > > static (inside,outisde) tcp interface 3389 192.168.111.222 3389 netmask >
> The word 'interface' is a special keyword and means "the IP address of > the interface we are talking about". > > Tne above means "If a packet arrives on the outside interface with > a destination IP which is the same as the PIX's outside IP, and the > packet is a TCP packet and the destination port is 3389, then the > packet should be rewritten so that the destination is port 3389 > on address 192.168.111.222 of the inside interface.". It also means > (at the same time), "If a packet arrives on the inside interface > with a source IP of 192.168.111.222 and a source port of 3389 > then the packet should be rewritten so that the source port is 3389 > and the source IP is the IP of the PIX's outside interface." > > The confusing part of this is that the first part after the ) > corresponds to the specification for the -second- interface listed, > and the -second- part after the ) corresponds to the specification > for the -first- interface listed: > > static (FIRST,SECOND) SECOND FIRST | |||||||||||||||||||
| Similar Threads | Posted |
| Configuring an inside nat group on inside interface | April 10, 2006, 4:38 pm |
| Cisco 837 - how to set up Inside to Inside NAT for DNS resolution? | May 23, 2006, 2:00 pm |
| PIX DMZ to the Inside. | February 10, 2005, 6:33 pm |
| DNS inside DMZ | September 30, 2005, 5:01 am |
| what does this mean ? (inside,outside) | October 2, 2006, 1:06 pm |
| PIX 7.0 ACL inside/outside help ! | December 22, 2006, 5:54 am |
| Inside to Inside NAT | April 11, 2007, 5:08 pm |
| help with pix inside->outside + dmz->outside + inside->outside->dmz | September 18, 2007, 9:57 pm |
| DNS inside the DMZ on an 877 | January 1, 2008, 3:25 am |
| NAT INSIDE | January 22, 2008, 7:50 pm |
| Ip NAT inside ... extendable. | September 6, 2005, 5:45 am |
| nat (inside) 0, global and VPN | September 22, 2005, 4:22 pm |
| PIX VPN to both DMZ and INSIDE segments | October 18, 2005, 2:29 pm |
| ip nat inside and outside at the same time. | November 8, 2005, 6:42 pm |
| NAT/PAT problem from inside | November 30, 2005, 7:10 pm |
>What is (inside,outside) in a command line like this?