Help requested with setting static IP Cisco PIX 501

I am trying to set up my PIX 501 with a static IP given from my ISP. I am able to access the internet from my network when the PIX is set to its factory default configuration as dynamic on the outside interface, but when I set it to static and put the IP and subnet mask, nothing. Also using the wizard does not work. I am guessing it has something to do with the NAT. I use the PDM to access the PIX. I am not using the PIX as a DHCP server.

Thanks

Reply to
Maximus Prime
Loading thread data ...

OK, I want users to access the server with remote desktop connection, but do not want them to have to use Cisco VPN client. How do I set up the PIX (using PDM) to allow that to pass through if I have only one static IP. Set the server as a static IP and configure the PIX to allow connections to it through the port (3389)? This is less secure but it is easier for the everyday user.

ANY thoughts would be appreciated

Reply to
Maximus Prime

In about 5 years of active use of this group, I've seen about.... ummmm, lemme think... somewhere around four "how do I do this using PDM" questions answered with actual instructions on how to do task in the PDM.

When I saw in your original posting that you wanted to use PDM to solve your problem, I stopped reading. When I saw in your follow-up that you wanted to use PDM to solve your modified question, I stopped paying attention to what the question actually was.

Reply to
Walter Roberson

So there is no doubt Walter knows what he is doing.

I have always looked at groups like these as a place professional and aspiring professionals could come, share knowledge, and help each other out. there is no reason for a flame war here.

Lets not everyone get our panties in a bunch.

I am not going to attempt to assume anything here. So do you know how to set a static ip address on pix via the command line? Hopefully you have telnet access to the pix. Do you know how to setup PAT/NAT on the pix? I myself am not a pdm lover like most people on this forum. For some reason it confuses me more than the cammand line and does not give you all the functionality of the cli.

a quick google search found this

formatting link
You will have to modify the example to fit your setup a little but it will certainly fill in what you need. This example is on 6.x. If your pix is running something earlier than 6.x you have to search google again. I did a simple search for configure cisco pix 6.x

to set the ip address of the out side interface try this.

ip address outside "ipaddress" "subnet mask" to setup nat it can be done a couple different ways. nat (inside) 1 0.0.0.0 0.0.0.0 - nats everything on the inside interface to what is configured on the outside interface nat pool/pat configuration. nat (inside) 1 "network id" "subnet mask" - will only nat the network which is specified nat (inside) 1 "host address" 255.255.255.255 will nat only the host nat (inside) 1 access-list "name of access list" nats host specified in an acl

global (outside) 1 "single ip address/range of ip addresses" subnet mask global (outside) 1 137.25.200.12 "subnet mask" - applies pat to single address global (outside) 1 173.25.25.33-172.25.25.62 255.255.255.224 -applies a nat pool

feel free to email me sdj30 at hotmail.com.

Reply to
Newbie72

What have you been reading about?

It is different that you post something like "i try the following commands, I read the logfiles, however I did not find out what is happening?"

Please tell us what you have configured and we will try to assist you

Reply to
Lalo

That won't work in PIX 6 for any PIX device with a single public IP. You have to make an interface reference rather than an IP reference. Also, nat/global pairs are not suitable for forwarding individual ports such as the original poster needs.

Reply to
Walter Roberson

I have an answer to your question: You will have any data sent to a specific TCP port on your firewall's outside IP address translated through the firewall to the same port on your actual inside server's IP address. Some people call it NAT, some people call it PAT, some people call it "port forwarding", but today you will call it a static translation. It is common for a connection that has a single Internet IP address to forward traffic received (example here) on the firewall's TCP port 80 to a web server, TCP port 25 to a seperate e-mail server, and UDP port 7777 to some application specific server. In the end of this example, three servers on the inside of the firewall are accessible through a single Internet IP address on the firewall. As long as the access-list on the outside interface permits connections in to these TCP and UDP ports on the firewall's outside IP address, they are forwarded to the same on the inside.

Through whatever means you have available to you, configure the firewall to forward any traffic on the outside IP address to TCP port 3389 to actually go to the server's inside IP address to TCP port 3389.

The PDM might be convenient, but we encourage you to really learn how things work on the command line. For now, try using the PDM and then see what actual configuration mode commands were entered by the PDM after your changes. To really get the most out of your connection, I recommend looking into the newer and more advanced ASDM. A higher version of the PIX OS would be required for that. It is just something to look into.

Here is the commands which you would enter from the console, presuming that your interfaces are named "outisde" and "inside" and your server was at

192.168.1.4:

static (inside,outside) tcp interface 3389 192.168.1.4 3389 netmask

255.255.255.255

Make sure that your access-list permits this connection. Check your work with a "show xlate" command.

----- Scott Perry Indianapolis, IN

-----

P.S. (to all) I am not aware of any accomplishment which constitutes the behavior that I saw in this newsgroup this month. Glad I was away from it for a while.

Reply to
Scott Perry

But you didn't answer how to do the task in the PDM, as requested by the original poster multiple times, and later reinforced by the original poster.

Not possible on the original poster's PIX 501.

That command and the corresponding (non-obvious) access-list entry have been posted numerous times before, and could have been found by googling the group for PIX 3389 . The original poster was pointed to that source of information.

Scott, the poster asked specifically for the PDM steps for this task. You had an opportunity to review the complete thread from a retrospect and take your time and answer the question asked -- i.e., the exact PDM steps -- click on this toolbar, select that entry, go down to the 7th line, go over to the third column, type in this, click save, go through these other PDM pages in this sequence, doing thus-and-thus. Why did *you* not answer in terms of the PDM as requested and reinforced?

You probably would have had to go through the PDM yourself and figure out and test the steps (since some of the PDM logic for this task is back-assward compared to what is really going on in the PIX), and you then would have had to write it all up in terms of this-menu-bar and that sub-entry and fill in this field and go back up and over to this other page, and so on -- but what stopped you from doing just that? You work for aciscocompany, so you would have access to an appropriate device, so it wasn't due to lack of opportunity. You were chiding others for not answering the question, so why not actually -answer- the question?

Did your decision as to the form and extent of your answer just happen to have anything to do with there being limits on the amount of effort you are willing to go through in order to answer a question "on your own time", as a volunteer?

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.