Open port & change internal IP on PIX 501

- D
- dsd17
  
  Contact options for registered users
posted
18 years ago

Wed, Mar 8, 2006 7:19 PM

I'm trying to open new ports on our PIX 501. Is it as simple as this:

access-list 200 permit tcp any host 192.168.2.133 eq 5900 access-list 200 permit tcp any host 192.168.2.132 eq 5901

Also, I need to change the IP address used for smtp to point from

192.168.2.132 to 192.168.2.133. Could someone tell me what the command should look like for this? Currently, I see it as this:

access-list 200 permit tcp any host 62.264.95.136 eq smtp

How can I point that to .133 instead of .132 or does it matter at all?

Loading thread data ...

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Thu, Mar 9, 2006 1:21 AM

Not quite.

It is the access-list that is applied as an access-group to the outside interface that must be modified for the first question. The line you quoted from access-list 200 suggests that it is the access-list to be examining for that question.

The outside access-list must be written such that the destination address (the one on the right hand side) is the *public* IP address of the target. The outside access-list does NOT get modified when the public IP stays the same but the internal IP gets changed. So the first part of your answer to the second question is, "No, leave that line as-is", and the first part of your answer to the first question is, "No, you need to put in the public IPs (like 62.264.95.136) instead of the private IPs.)

The second half of the answers: In order for an outside system to be able to start new dataflows to an internal system, there must be a pre-defined translation between the public IP and the internal IP. Sometimes that is via a "nat (inside) 0 access-list" command, but that does not apply to you because that can only be used when the public and internal IPs are the same IP. When the public IP and internal IP are different, there must be a "static" command that says what gets translated to what.

You probably currently have

static (inside,outside) tcp 62.264.95.136 smtp 192.168.2.132 smtp 0 0

In order to retarget the smtp to 192.168.2.133 you would just change the 132 to 133 in the statement. (Note: after you change 'static' commands, "clear xlate" to get rid of the stale information.)

To add TCP 5901 to .133, you would add

static (inside,outside) tcp 62.264.95.136 5901 192.168.2.133 5901 0 0

and this would be complimented by

access-list 200 permit tcp any host 62.264.95.136 eq 5901

You show TCP 5900 as going to a different internal machine, but you didn't indicate whether you have set up different public IPs for the two machines, and you didn't indicate whether it was important that the ports be associated with distinct IP addresses or whether it would be fine to put them both on the -same- public IP address as long as they got delivered to different internal hosts.

If using the same public IP is okay, you would have

access-list 200 permit tcp any host 62.264.95.136 eq 5900

and you would get this through to the other host by using

static (inside,outside) tcp 62.264.95.136 5900 192.168.2.132 5900 0 0

It is not a problem on PIX 6.2 and later to have the the same public IP used to deliver traffic to different internal IPs based upon the port number.