1. Home
  2. Cisco Systems
  3. Re: how to configure PAT on Pix 501

Re: how to configure PAT on Pix 501

In article , snipped-for-privacy@gmail.com wrote: :hese are the rules I have defined ... :static (inside,outside) tcp interface 50000 192.168.1.50 www netmask

255.255.255.255 0 0 :static (inside,outside) tcp interface 50001 192.168.1.50 telnet netmask 255.255.255.255 0 0

:The problem is when I telnet from say, 10.1.1.30 using the command :'telnet 10.1.1.5 50001', my connection just times out, same w/ web.

Times out implies that it didn't get a RST or ICMP unreachable. That implies that either the packets didn't get to the PIX or else that the PIX blocked the packets.

Did you add an appropriate access-list ?

access-list out2in permit tcp any interface outside eq 50000 access-list out2in permit tcp any interface outside eq 50001

access-group out2in in interface outside

Reply to
Walter Roberson
Loading thread data ...

When I tried to add ...

access-list out2in permit tcp any interface outside eq 50000

I got the following error: ERROR: invalid IP address interface

Yet when I type 'show interface', it's there with ... interface ethernet0 "outside" is up, line protocol is up ... (lots of info following)

And all looks normal. I also added a name like 'name outside 10.1.1.5' but that didn't help so I took that back out. And I didn't add the group because it looked like that could only be added after the access-list was defined.

What am I missing now?

Reply to
Wizumwalt

In article , snipped-for-privacy@gmail.com wrote: :When I tried to add ...

:access-list out2in permit tcp any interface outside eq 50000

:I got the following error: :ERROR: invalid IP address interface

Try removing the word 'outside'.

:What am I missing now?

You didn't tell us which PIX version you are running. The 501 was introduced at 6.1(1); the use of 'interface' followed by a name is a 6.3-ism. If 'interface' by itself works then you have 6.2. If 'interface' by itself does not work then you have 6.1 and you cannot do what you want to do -- in 6.1 you had to have a separate "public" IP, with port forwarding off the interface IP not supported until 6.2.

Reply to
Walter Roberson

I have a CISCO PIX Firewall 6.2(2) ... so it sounds like what I'm trying to do will work, but neither one of those commands works.

Using this ... access-list out2in permit tcp any interface outside eq 50000 or this ... access-list out2in permit tcp any interface eq 50000

both give me the same error ... ERROR: invalid IP address interface

If I do a 'show access-list' at the prompt, there are no items at all, so I'm guessing that's correct. Any other ideas?

Reply to
Wizumwalt

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.