PIX Version 6.3(4) "interface" vs IP adress

hi, i have a general question: I am trying to open udp port 5060 on a cisco PIX Version 6.3(4) let's say the public address is, I have a pool from my provider ( and the server that needs to be reached from the outside is

what's the difference of binding the port/protocoll to "interface"

static (inside, outside) udp interface 80 5060 netmask access-list traffic_in permit udp any interface outside eq 5060

as opposed to an addresss out of my pool.

static (inside,outside) udp 5060 5060 netmask 0 0 access-list traffic_in permit udp any host eq 5060

what would you recommend how to do this.

any help appreciated, mak

Reply to
Loading thread data ...

( and the server that needs 0 0

with the following statement: static (inside,outside)udp interface 5060 5060 netmask ...you use your pix outside interface as the IP that external hosts will connect to for this particular UDP port only. This is usually used where a small business only has one IP from the ISP (that being the external/outside interface IP). Since you have 5 or 6 other IP's to use, if you want to use them for a static NAT for this host, you could do that. It's mostly a personal prefernce.
Reply to
John Smith

This PAT, and hence you can only have ONE IP and ONE PORT. i.e. if you want two port tcp/80 running, you can not 0 0

This is NAT, and hence you can map MANY IP to MANY inside, with SAME portnumbers. i.e. you can run several port TCP/80, just with differrent IPs

Use NAT if you have IPs, otherwise, why do you have IPs ? Use PAT if you have only ONE (1) assigned to you by your ISP, fx via DHCP on outside.

Reply to
Martin Bilgrav

If you have internal hosts that are working with traffic that PAT does not work for (e.g., IP protocols other than TCP and UDP), then you want to allocate as many one-to-one NAT IPs to that purpose as will be needed simultaneously. If that drives you into PAT'ing the traffic that PAT works for, then so be it.

Reply to
Walter Roberson

thanx a lot guys, all cleared up mak

Walter Robers> >

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.