In article , MeTed wrote: :I'm trying to re-introduce myself to a Cisco 1710 (Pix 6.3).
I'm confused. The 1700 series runs IOS, not PIX software.
:Everything is :already configured from a previous admin. Here are my questions:
:I need to open up a port and forward it to a private IP (192.168.1.25) on my :LAN. Is the below the right config?
:access-list inbound permit tcp any host [PUBLIC_IP] eq 3000
That looks like PIX, not IOS. For IOS you would have needed the word 'extended' in order to use a named access-list .
:access-list outbound permit tcp any any eq 3000
It isn't clear why you would want that line, unless you are trying to connect to -other- system's tcp 3000 instead of trying to configure inward access on tcp 3000 to your own systems.
You will need to add
access-group inbound in interface outside
If you are being restrictive about what you allow out, then you will also need
access-group outbound in interface inside
but if you do that then you start running into issues about (e.g.) needing to also explicitly configure outbound DNS queries, outbound http and https and smtp and ...
:static (inside,outside) tcp [PUBLIC_IP] 192.168.1.25 3000 netmask
255.255.255.255 0 0
You need to add a 3000 between [PUBLIC_IP] and the internal IP.
:Next question, and this is what I can't remember, can I simply add these :entries into the Cisco, or, when I want to make a change do I have to :re-enter the entire config?
New access-list entries normally go at the end of the list, so if you have 'deny' further up in the list, you could run into trouble unless you take special steps to put the entry before the appropriate 'deny'.
In PIX 6.2 and before, the only way to add an entry in the middle of an access-list is to remove the list and rebuild it with the new entry in it's proper place. You would not need to change the
-whole- configuration of the PIX, just the access-list (and after you remove an access-list and put it back, you need to redo any access-group or nat or static or crypto map command that referred to it.)
In PIX 6.3, a method was added to do insertions in place. You "show" the access-list and you will see line numbers. For example, it might display
access-list inbound line 17 permit tcp any host [PUBLIC_IP] eq smtp access-list inbound line 18 permit udp any host [PUBLIC_IP] eq dns
In order to add a new entry in place, put it in with the infix line number that it is to be inserted *before*. For example to put the new entry between lines 17 and 18, you would use
access-list inbound line 18 permit tcp any host [PUBLIC_IP] eq 3000
The existing line 18 would get pushed down to line 19.
The order of 'static' commands only matters in obscure circumstances involving "policy static": other than that, the order does not matter because you are not permitted to form overlapping static's in most cases (and when you are, it is longest-match.) You *do*, though, need to be aware that different kind of static and nat commands have different priorities -- static mentioning a port number is lower priority that a static that applies to the entire IP. [Personally I think it would have been better the other way around, so that you could easily redirect a particular port to one place and have all other ports go to a different place.]
:Last question: How do I backup the configuration so I have a legitimate way :to restore in the event of disaster?
Go into configuration mode ( config terminal ), use the tftp-server configuration command if you haven't done so, and then "write net". NB "write net" will only when you are in configuration mode! WHich makes it easy to overlook the command or to think it has disappeared.