1. Home
  2. Cisco Systems
  3. Need help with STATIC command!

Need help with STATIC command!

Hi, all! Using a PIX 515e (IOS 12.3)...

Basically, I need to be able to translate (STATIC command) any traffic from a given subnet (167.68.6.0) on a given port (5000) to a single inside IP (10.1.1.1) and port (5000). My hangup at this point is the subnet masks, I think. On one side I have to use a mask of .0, but I need a mask of .255 on the inside specifically. Will the below STATIC work for me?

static (inside, outside) tcp 10.1.1.1 5000 167.68.6.0 5000 netmask

255.255.255.255

Essentially, any port 5000 traffic on the outside subnet (all 255 possible machines) has to be sent to a single device on the inside subnet.

Is this do-able? Thanks! Jack

Reply to
JackBlack
Loading thread data ...

Sorry, the PIX does not run on IOS 12.3, please paste a show version from the firewall.

Reply to
Chad Mahoney

You're correct, my bad. It's running 6.3(4). Sorry, was looking at something else when I wrote the original post.

So, what do you think about my question?

Thanks, Jack

Reply to
JackBlack

You can't do that in the way it is phrased.

access-list six5000 permit tcp host 10.1.1.1 eq 5000 167.68.6.0 255.255.255.0 static (inside,outside) tcp interface 5000 10.1.1.1 5000 access-list six5000

This presumes that the public IP that those 167.68.6.0 hosts are talking to, that represents 10.1.1.1 to the outside world, is your outside interface IP. If not, replace the word 'interface' with the public IP.

I'm not completely sure this will work. I'd have to think back and try to remember exactly how statics with access-lists work, which is not well documented. I did get clarification from the TAC at one point, but I no longer have access to that case.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.