501 help w/ PAT, or outside NAT?

I've got a pix 501 and I'm trying to figure out how to make inbound connections, depending on the service, route to certain inside machines.

I'm having a hard time wrapping my head around how to do this with CLI (PDM was just unclear for me), but I think what used to be called PAT on my older simpler firewalls is what cisco calls outside NAT. I think it involves access-lists and can't get these to work yet.

So I'm just trying to make this happen with SSH. I don't want the SSH connection to the console, but I want to come from the outside (using any machine, I'll figure out how to narrow that down later, one step at a time for me) and have my SSH connection be routed to a specific machine on my network.

Any help in guiding me on this would be great.

Reply to
Loading thread data ...

formatting link

Static PAT Examples

To redirect Telnet traffic from the PIX Firewall outside interface to the inside host at, enter:

static (inside,outside) tcp interface telnet telnet netmask

So do the same sort of thing except with '22' instead of 'telnet' on both places on the line.

You will also need an access-list:

access-list out2in permit tcp any interface eq 22

and you will need to apply the access-list to the outside interface:

access-group out2in in interface outside

Reply to
Walter Roberson

Hi, I suppose you are looking for redirecting services on external interface of PIX. You can do this with Static NAT command and Access-list

Static command for SSH PIX(config)# static (inside,outside) tcp SSH SSH netmask

NAT for incoming traffic PIX(config)# nat (inside) 1 0 0 PIX(config)# global (outside) 1

Create Acces-list access-list OUT-2-IN permit tcp any interface eq 22

Apply the Access-list to Interface access-group OUT-2-IN in interface outside

Rate if it help

Reply to

You do not need a nat/global pair for incoming traffic.

SSH netmask

The OP's device is a PIX 501; PIX 501 do not support PIX 7.x.

In PIX 6.1, PIX 6.2 and 6.3, you cannot use the PIX external IP itself in either the static command or the global command: instead you would use the keyword 'interface'.

static (inside,outside) tcp interface SSH SSH netmask global (outside) 1 interface

This was valid for PIX 6.1, but in PIX 6.2 and PIX 6.3, ACLs must give an interface name after the keyword 'interface':

access-list OUT-2-IN permit tcp any interface outside eq 22

(I think I might have omitted the 'outside' in my own reply.)

Reply to
Walter Roberson

SSH netmask

Thanks Walter .. for correcting me I does not see the IOS information..

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.