1. Home
  2. Cisco Systems
  3. PIX Version 6.3(4) "interface" vs IP adress

PIX Version 6.3(4) "interface" vs IP adress

hi, i have a general question: I am trying to open udp port 5060 on a cisco PIX Version 6.3(4) let's say the public address is 12.34.56.78, I have a pool from my provider (12.34.56.72/29) and the server that needs to be reached from the outside is 192.168.1.10.

what's the difference of binding the port/protocoll to "interface"

static (inside, outside) udp interface 80 192.168.1.10 5060 netmask

255.255.255.255 access-list traffic_in permit udp any interface outside eq 5060

as opposed to an addresss out of my pool.

static (inside,outside) udp 12.34.56.73 5060 192.168.1.10 5060 netmask

255.255.255.255 0 0 access-list traffic_in permit udp any host 12.34.56.73 eq 5060

what would you recommend how to do this.

any help appreciated, mak

Reply to
mak
Loading thread data ...

(12.34.56.72/29) and the server that needs

255.255.255.255 0 0

with the following statement: static (inside,outside)udp interface 5060 192.168.1.10 5060 netmask

255.255.255.255 ...you use your pix outside interface as the IP that external hosts will connect to for this particular UDP port only. This is usually used where a small business only has one IP from the ISP (that being the external/outside interface IP). Since you have 5 or 6 other IP's to use, if you want to use them for a static NAT for this host, you could do that. It's mostly a personal prefernce.
Reply to
John Smith

This PAT, and hence you can only have ONE IP and ONE PORT. i.e. if you want two port tcp/80 running, you can not

255.255.255.255 0 0

This is NAT, and hence you can map MANY IP to MANY inside, with SAME portnumbers. i.e. you can run several port TCP/80, just with differrent IPs

Use NAT if you have IPs, otherwise, why do you have IPs ? Use PAT if you have only ONE (1) assigned to you by your ISP, fx via DHCP on outside.

Reply to
Martin Bilgrav

If you have internal hosts that are working with traffic that PAT does not work for (e.g., IP protocols other than TCP and UDP), then you want to allocate as many one-to-one NAT IPs to that purpose as will be needed simultaneously. If that drives you into PAT'ing the traffic that PAT works for, then so be it.

Reply to
Walter Roberson

thanx a lot guys, all cleared up mak

Walter Robers> >

Reply to
mak

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.