Hello. I would like to be able to map a Public IP's port to a different port on a Private IP through the PIX 515. For example, if someone telnets into the Publc IP 209.215.23.22, I want it to forward to port 9923 on the private IP 192.168.2.2. Is this possible? Thanks.
static (inside,outside) tcp 209.215.23.22 23 192.168.2.2 9923 netmask
255.255.255.255Hi Walter. What if I also wanted to open up regular ports as well and did not want to redirect to a different port? Would it still work if I also addedd an access-list command?
Would all these lines work in the config?
static (inside,outside) 209.215.23.23 192.168.2.2 netmask 255.255.255.255 0
0 static (inside,outside) 209.215.23.22 23 192.168.2.2 9923 netmask 255.255.255.255 0 0 access-list outside_in permit tcp any host 209.215.23.22 eq 8080 access-list outside_in permit tcp any host 209.215.23.22 eq telnetThanks.
You missed the 'tcp' after the ')'
Connections to 209.215.23.22 port 8080 would not have anywhere to go, as you do not have any static for outside IP 209.215.23.22 except the one for port 23.
If that 23.23 was a typo and you meant
static (inside,outside) 209.215.23.22 192.168.2.2 netmask 255.255.255.255 0 0
and you are asking whether you can use a "full static" on an external IP as well as a port static to redirect just one port to somewhere, then the answer is NO. static commands without port specifications are processed before static commands that have port specifications or access-lists, so you cannot say "all ports except these ones" when you use a full static.
(If you do want to say "all ports except these ones", then you also cannot do it by using static with port specifications. Instead, you would need to use a pair of static's with access-list specifications, one access-list using 'deny' for all of the ports *not* to be forwarded followed by a 'permit' that did not specify a port.)
Hi Walter. Yes it was a typo. Sorry. Thanks for the explanation. Here is exactly what I am trying to do. We have a mainframe that is serving up all kinds of stuff on various ports. We have a public IP translating to the private IP of the mainframe and we have access-list permit lines opening up various ports to the mainframe. It all works fine. Here is the issue. We have a telnet type application running on the mainframe on port 9923. We have nothing running on port 23. We have a potential customer whose IT Department has setup their firewall to block outbound port 9923. They are, however, not blocking outbound port 23. What we were thinking of doing is setting up our firewall redirect requests on the public IP port 23 to internal mainframe IP port 9923 but from reading your explanation it looks like this can not be done. In your last paragraph you talked about using a pair of statics with access-list specifications. Could you show me an example? Now that you see what I am trying to accomplish could you give me some suggestions? Thanks for the help.
It's been awhile, I had a technical detail wrong in the previous post. You cannot use deny in a policy NAT access-list.
access-list forward23 permit tcp host INTERNALIP eq 9923 any
access-list forwardrest permit tcp host INTERNALIP range 1-9922 any access-list forwardrest permit tcp host INTERNALIP range 9924-65535 any access-list forwardrest permit udp host INTERNALIP any
static (inside,outside) tcp PUBLICIP telnet access-list forward23 static (inside,outside) PUBLICIP access-list forwardrest
I'm not 100% sure of that last statement. There is a small chance that you would instead need to use
static (inside,outside) tcp PUBLICIP 0 access-list forwardrest
but I don't think so; I don't have access to a PIX to double-check it on.
Thanks again Walter.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.