Open port & change internal IP on PIX 501

I'm trying to open new ports on our PIX 501. Is it as simple as this:

access-list 200 permit tcp any host eq 5900 access-list 200 permit tcp any host eq 5901

Also, I need to change the IP address used for smtp to point from to Could someone tell me what the command should look like for this? Currently, I see it as this:

access-list 200 permit tcp any host eq smtp

How can I point that to .133 instead of .132 or does it matter at all?

Reply to
Loading thread data ...

Not quite.

It is the access-list that is applied as an access-group to the outside interface that must be modified for the first question. The line you quoted from access-list 200 suggests that it is the access-list to be examining for that question.

The outside access-list must be written such that the destination address (the one on the right hand side) is the *public* IP address of the target. The outside access-list does NOT get modified when the public IP stays the same but the internal IP gets changed. So the first part of your answer to the second question is, "No, leave that line as-is", and the first part of your answer to the first question is, "No, you need to put in the public IPs (like instead of the private IPs.)

The second half of the answers: In order for an outside system to be able to start new dataflows to an internal system, there must be a pre-defined translation between the public IP and the internal IP. Sometimes that is via a "nat (inside) 0 access-list" command, but that does not apply to you because that can only be used when the public and internal IPs are the same IP. When the public IP and internal IP are different, there must be a "static" command that says what gets translated to what.

You probably currently have

static (inside,outside) tcp smtp smtp 0 0

In order to retarget the smtp to you would just change the 132 to 133 in the statement. (Note: after you change 'static' commands, "clear xlate" to get rid of the stale information.)

To add TCP 5901 to .133, you would add

static (inside,outside) tcp 5901 5901 0 0

and this would be complimented by

access-list 200 permit tcp any host eq 5901

You show TCP 5900 as going to a different internal machine, but you didn't indicate whether you have set up different public IPs for the two machines, and you didn't indicate whether it was important that the ports be associated with distinct IP addresses or whether it would be fine to put them both on the -same- public IP address as long as they got delivered to different internal hosts.

If using the same public IP is okay, you would have

access-list 200 permit tcp any host eq 5900

and you would get this through to the other host by using

static (inside,outside) tcp 5900 5900 0 0

It is not a problem on PIX 6.2 and later to have the the same public IP used to deliver traffic to different internal IPs based upon the port number.

Reply to
Walter Roberson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.