one external IP address is mapped to one internal IP address with the "static (inside, outside) X.X.X.X 10.0.0.140" statement and corresponding access list "access-list acl_out permit tcp any host X.X.X.X eq ftp"
What I want to do is have one STATIC statement and then control which ports are mapped by using ACL's. Does anyone know the correct syntax?
Thanks!
In article , wrote: :one external IP address is mapped to one internal IP address with the :"static (inside, outside) X.X.X.X 10.0.0.140" statement and :corresponding access list "access-list acl_out permit tcp any host :X.X.X.X eq ftp"
:What I want to do is have one STATIC statement and then control which :ports are mapped by using ACL's. Does anyone know the correct syntax?
You can't quite do that with PIX 6. You need at least two static statements, one for udp and one for tcp.
static (inside,outside) tcp X.X.X.X access-list TCP_ACL static (inside,outside) udp X.X.X.X access-list UDP_ACL
access-list TCP_ACL permit tcp host 10.0.0.140 eq ftp any access-list UDP_ACL permit udp host 10.0.0.140 eq domain any
Note: be sure not to reuse the policy ACLs, such as for the access-list you apply as the access-group.
You cannot simply use one 'static' with an ACL that uses tcp or udp statements: the PIX will complain about attempting to inject one protocol into another.
So I use one static for tcp and another for udp. Then I could use multiple TCP_ACL access lists for multiple ports and the same for UDP_ACL? I will give it a shot this morning. Thanks Walter!
I am trying to open some ports so I can test a Polycom Video conf system. It needs 23 consecutive udp ports opened and about 7 tcp ports. Per Walter's reply above I will use two static statements and then several access-list statements (because I can specify port ranges). My problem is that I can't get the syntax down. Any help will be greatly appreciated.
I need Internet traffice coming on those ports to be directed to
10.0.0.140. Here is the static statement I tried that didn't work... static (inside, outside) tcp any host access-list TCP_ACL access-list TCP_ACL permit tcp host 10.0.0.140 eq h323 anyWhere am I going wrong? Sorry to be such a bonehead but it is not often that I have to alter the configs on my firewalls
Thanks, Tom.
So to forward tcp 1720, 3230-3235 and udp 3230-3253 to 10.0.0.140 I have to have individual static statements for each?
I guess what I am asking is this, what is the best way to forward/map those ports to that particular IP. This is for incoming traffic.
Thanks yet again. Tom.
|:What I want to do is have one STATIC statement and then control which |:ports are mapped by using ACL's. Does anyone know the correct syntax?
|static (inside,outside) tcp X.X.X.X access-list TCP_ACL
Sorry, having reviewed your message again, I realize that the above was incorrect and that what you want cannot be done.
The problem is that the extended version of 'static' must list the outside port:
static (inside,outside) tcp X.X.X.X PORT access-list TCP_ACL
and that's not going to allow you to select the port based on the contents of TCP_ACL .
In article , tom s wrote: :So to forward tcp 1720, 3230-3235 and udp 3230-3253 to 10.0.0.140 I :have to have individual static statements for each?
Yes.
:I guess what I am asking is this, what is the best way to forward/map :those ports to that particular IP. This is for incoming traffic.
If you have a distinct public IP you can use instead of the interface IP, then you can static the IP as a whole and let your outside access list take care of whether the access is permitted or not.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.