|
Home > Archive > alt.certification.cisco > September 2003 > [HELP] Cisco PIX 515 Port Forwarding
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[HELP] Cisco PIX 515 Port Forwarding
|
|
| Corbin O'Reilly 2003-09-25, 9:25 pm |
| Hi everyone. I have a Cisco PIX 515 and am trying to do a simple task. When
somebody connects to an external IP address on a specific port I want it to
direct to an internal IP on a different port. For example, if somebody
connects to the external 215.152.16.8 on port 9386 I want it to map to port
2516 on 192.168.1.8. I know the command to map the IP is:
static (inside,outside) 215.152.16.8 192.168.1.8 netmask 255.255.255.255 0 0
What is the command to redirect the ports? Does this command look right?
static (inside,outside) tcp 215.152.16.8 9386 192.168.1.8 2516 netmask
255.255.255.255 0 0
Thanks for the help. Raven.
| |
| Walter Roberson 2003-09-26, 1:26 am |
| In article <44Mcb.12492$ai7.7205@newsread1.news.atl.earthlink.net>,
Corbin O'Reilly <coreilly@mindspring.com> wrote:
:Hi everyone. I have a Cisco PIX 515 and am trying to do a simple task. When
:somebody connects to an external IP address on a specific port I want it to
:direct to an internal IP on a different port. For example, if somebody
:connects to the external 215.152.16.8 on port 9386 I want it to map to port
:2516 on 192.168.1.8. I know the command to map the IP is:
:static (inside,outside) 215.152.16.8 192.168.1.8 netmask 255.255.255.255 0 0
:What is the command to redirect the ports? Does this command look right?
:static (inside,outside) tcp 215.152.16.8 9386 192.168.1.8 2516 netmask 255.255.255.255 0 0
Looks right to me.
You will of course need an access-list permitting the traffic,
applied to the outside interface via the 'access-group' command.
--
"WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
| |
| Corbin O'Reilly 2003-09-26, 3:25 pm |
| Thanks for the reply. Please let me know if these are the commands I need to
add.
static (inside,outside) tcp 215.152.16.8 9386 192.168.1.8 2516 netmask
255.255.255.255 0 0
conduit permit tcp host 215.152.16.8 eq 9386 any
I appreciate the help.
"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:bl0ecl$7v2$1@canopus.cc.umanitoba.ca...
> In article <44Mcb.12492$ai7.7205@newsread1.news.atl.earthlink.net>,
> Corbin O'Reilly <coreilly@mindspring.com> wrote:
> :Hi everyone. I have a Cisco PIX 515 and am trying to do a simple task.
When
> :somebody connects to an external IP address on a specific port I want it
to
> :direct to an internal IP on a different port. For example, if somebody
> :connects to the external 215.152.16.8 on port 9386 I want it to map to
port
> :2516 on 192.168.1.8. I know the command to map the IP is:
>
> :static (inside,outside) 215.152.16.8 192.168.1.8 netmask 255.255.255.255
0 0
>
> :What is the command to redirect the ports? Does this command look right?
>
> :static (inside,outside) tcp 215.152.16.8 9386 192.168.1.8 2516 netmask
255.255.255.255 0 0
>
> Looks right to me.
>
> You will of course need an access-list permitting the traffic,
> applied to the outside interface via the 'access-group' command.
> --
> "WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
> WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
| |
| Walter Roberson 2003-09-26, 5:24 pm |
| In article <jT%cb.7189$pP6.2931@newsread2.news.atl.earthlink.net>,
Corbin O'Reilly <coreilly@mindspring.com> wrote:
:Thanks for the reply. Please let me know if these are the commands I need to
:add.
:static (inside,outside) tcp 215.152.16.8 9386 192.168.1.8 2516 netmask 255.255.255.255 0 0
:conduit permit tcp host 215.152.16.8 eq 9386 any
The extended version of 'static' has been supported since PIX 6.0(1),
and Cisco has been recommending against using 'conduit' since PIX 5.1(2)
or so. Cisco does not promise that conduits will function properly with
PIX 6 features such as port forwarding. I would highly recommend
that you use access-list and access-group instead.
--
And the wind keeps blowing the angel / Backwards into the future /
And this wind, this wind / Is called / Progress.
-- Laurie Anderson
| |
| Rik Bain 2003-09-26, 10:24 pm |
| On Sat, 27 Sep 2003 02:39:25 +0600, Walter Roberson wrote:
> The extended version of 'static' has been supported since PIX 6.0(1),
> and Cisco has been recommending against using 'conduit' since PIX 5.1(2)
> or so. Cisco does not promise that conduits will function properly with
> PIX 6 features such as port forwarding. I would highly recommend that
> you use access-list and access-group instead.
Just to add to Walter's statement, the release notes for 6.3.3 state that
it is the last major release to support conduit.
Rik Bain
|
|
|
|
|