what does this mean ? (inside,outside)

Those are interface names as given by nameif commands.

The meaning is that if a packet arrives at the interface named first, going to the interface named second, and the packet matches the specification given on the *end* of the line (not the middle!), then the -source- IP address and port should be translated and the destination IP and port should be left alone; and if a packet arrives at the second interface named, headed for the first interface named, and the packet matches the specification given in the *middle* of the line, then the -destination- IP address and port should be translated and the source IP and port should be left alone.

But i still don't understand it. Why are there thies ( ) around inside,outside) ?

So inside, outside in this will mean ..? static (inside,outisde) tcp interface 3389 inside ip 3389 netmask

sorry i'm really trying to understand it :)

Walter Roberson skrev:

Why not? :) Cisco can invent any syntax it likes.

But in answer to the question: the interface pair is optional in the syntax. The documentation is not clear, but the default is probably (inside,outside) . The () tells the parser that the interface pair was included.

That "inside ip" should be replaced with a single internal IP address such as,

static (inside,outisde) tcp interface 3389 192.168.111.222 3389 netmask

The word 'interface' is a special keyword and means "the IP address of the interface we are talking about".

Tne above means "If a packet arrives on the outside interface with a destination IP which is the same as the PIX's outside IP, and the packet is a TCP packet and the destination port is 3389, then the packet should be rewritten so that the destination is port 3389 on address 192.168.111.222 of the inside interface.". It also means (at the same time), "If a packet arrives on the inside interface with a source IP of 192.168.111.222 and a source port of 3389 then the packet should be rewritten so that the source port is 3389 and the source IP is the IP of the PIX's outside interface."

The confusing part of this is that the first part after the ) corresponds to the specification for the -second- interface listed, and the -second- part after the ) corresponds to the specification for the -first- interface listed:

static (FIRST,SECOND) SECOND FIRST

Thnaks for the answer :)

So can you help me with my next problem ? I would like to setup af port forwording for my vnc. How do i do that ? I got a pix 501

Walter Roberson skrev:

static (inside,outside) tcp interface 5900 INTERNALIP 5900 netmask

access-list out2in permit tcp any interface outside eq 5900

access-group out2in in interface outside

Thank you. I will try this at work

snipped-for-privacy@gmail.com skrev:

And tje INTERNALIP is the ip for the vnc server, right? just to be sure

snipped-for-privacy@gmail.com skrev:

It works.

Thanks for the help :)

snipped-for-privacy@gmail.com skrev:

netmask 255.255.255.255