Port Mapping on a PIX 515

Hello. I would like to be able to map a Public IP's port to a different port
on a Private IP through the PIX 515. For example, if someone telnets into
the Publc IP 209.215.23.22, I want it to forward to port 9923 on the private
IP 192.168.2.2. Is this possible? Thanks.

Reply to
Corbin O'Reilly
Loading thread data ...
static (inside,outside) tcp 209.215.23.22 23 192.168.2.2 9923 netmask 255.255.255.255
Reply to
Walter Roberson
Hi Walter. What if I also wanted to open up regular ports as well and did not want to redirect to a different port? Would it still work if I also addedd an access-list command?
Reply to
Corbin O'Reilly
Would all these lines work in the config?
static (inside,outside) 209.215.23.23 192.168.2.2 netmask 255.255.255.255 0 0 static (inside,outside) 209.215.23.22 23 192.168.2.2 9923 netmask 255.255.255.255 0 0 access-list outside_in permit tcp any host 209.215.23.22 eq 8080 access-list outside_in permit tcp any host 209.215.23.22 eq telnet
Thanks.
Reply to
Corbin O'Reilly
You missed the 'tcp' after the ')'
Connections to 209.215.23.22 port 8080 would not have anywhere to go, as you do not have any static for outside IP 209.215.23.22 except the one for port 23.
If that 23.23 was a typo and you meant
static (inside,outside) 209.215.23.22 192.168.2.2 netmask 255.255.255.255 0 0
and you are asking whether you can use a "full static" on an external IP as well as a port static to redirect just one port to somewhere, then the answer is NO. static commands without port specifications are processed before static commands that have port specifications or access-lists, so you cannot say "all ports except these ones" when you use a full static.
(If you do want to say "all ports except these ones", then you also cannot do it by using static with port specifications. Instead, you would need to use a pair of static's with access-list specifications, one access-list using 'deny' for all of the ports *not* to be forwarded followed by a 'permit' that did not specify a port.)
Reply to
Walter Roberson
Hi Walter. Yes it was a typo. Sorry. Thanks for the explanation. Here is exactly what I am trying to do. We have a mainframe that is serving up all kinds of stuff on various ports. We have a public IP translating to the private IP of the mainframe and we have access-list permit lines opening up various ports to the mainframe. It all works fine. Here is the issue. We have a telnet type application running on the mainframe on port 9923. We have nothing running on port 23. We have a potential customer whose IT Department has setup their firewall to block outbound port 9923. They are, however, not blocking outbound port 23. What we were thinking of doing is setting up our firewall redirect requests on the public IP port 23 to internal mainframe IP port 9923 but from reading your explanation it looks like this can not be done. In your last paragraph you talked about using a pair of statics with access-list specifications. Could you show me an example? Now that you see what I am trying to accomplish could you give me some suggestions? Thanks for the help.
Reply to
Corbin O'Reilly
It's been awhile, I had a technical detail wrong in the previous post. You cannot use deny in a policy NAT access-list.
access-list forward23 permit tcp host INTERNALIP eq 9923 any
access-list forwardrest permit tcp host INTERNALIP range 1-9922 any access-list forwardrest permit tcp host INTERNALIP range 9924-65535 any access-list forwardrest permit udp host INTERNALIP any
static (inside,outside) tcp PUBLICIP telnet access-list forward23 static (inside,outside) PUBLICIP access-list forwardrest
I'm not 100% sure of that last statement. There is a small chance that you would instead need to use
static (inside,outside) tcp PUBLICIP 0 access-list forwardrest
but I don't think so; I don't have access to a PIX to double-check it on.
Reply to
Walter Roberson
Thanks again Walter.
Reply to
Corbin O'Reilly

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.