PIX 501 Incoming rule creation

Hi-

I'm trying to create some inbound access rules on an old Pix 505 (Cisco PIX Firewall Version 6.3(3) Cisco PIX Device Manager Version 3.0(1), yes, all ancient).

I don't work on PIXes very often, but when I add an inbound rule permitting traffic, the PIX prompts me that:

"No static Network Address Translation (NAT) rule is configured for the destination host or network on interface outside. Would you like to add a static NAT rule for the host or network now?"

What exactly do I have to add? I'm basically trying to map connections to port 4444, 4445, and 4446 to three internal servers (server 1 4444, 2 4445, etc) using the same outside (public) IP address.

They have 4 public IPs, two are 1:1 NAT mapped to two other servers and client traffic is mapped to a third and the PIX external IP isn't used for anything.

Thanks for any help.

Reply to
Howard Beale
Loading thread data ...

There was no PIX 505. On the other hand, your Subject says 501 which does exist and is still sold.

Not so ancient; the latest OS for that is one of the 6.3(5) versions. If the system owners are the registered owners of the PIX, they are entitled to a free upgrade to the latest 6.3(5) for the security fixes.

static (inside,outside) tcp host PUBLICIP 4444 host SERVER1IP 4444 static (inside,outside) tcp host PUBLICIP 4445 host SERVER2IP 4445 static (inside,outside) tcp host PUBLICIP 4446 host SERVER3IP 4446

and your access-list would look like

access-list out2in permit tcp any host PUBLICIP range 4444 4446

Note: the syntax would be slightly different if you were using the PIX outside IP as the destination IP for this traffic.

Reply to
Walter Roberson

Whoops, sorry. I'm sure there's another 505 something on my mind.

Thanks, I'll check into that.

Can you tell me what that syntax would look like?

Thanks!

Reply to
Howard Beale

static (inside,outside) tcp interface 4444 host SERVER1IP 4444 static (inside,outside) tcp interface 4445 host SERVER2IP 4445 static (inside,outside) tcp interface 4446 host SERVER3IP 4446

access-list out2in permit tcp any interface outside range 4444 4446

That is, in ACLs, to designate the PIX outside IP itself, use the literal 'interface outside' instead of the IP; in static, use the literal 'interface' instead of the IP.

Reply to
Walter Roberson

Thanks much! That solves my problem nicely.

I work with many vendor firewalls and FreeBSD ipfw stuff, but somehow the Pix never quite sinks in.

Reply to
Howard Beale

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.