topic Re: Port address translation in in PIX in Network Security

Port address translation in in PIX

samantha.lk — Mon, 11 Mar 2019 13:30:30 GMT

I'm using pix 525 firewall and i want to add a nat entry to accomplish bellow target.

External users direct port 443 requests to unique IP address 203.xxx.xx.xxx, which the PIX redirects to 10.50.4.10 port 8443.

so, if i add it as:

static (inside,outside) tcp 203.xxx.xx.xxx 443 10.50.4.10 8443 netmask 255.255.255.255 0 0

kindly can some one advice will this give what i need as mentioned above.

Re: Port address translation in in PIX

Marwan ALshawi — Wed, 13 Aug 2008 10:16:53 GMT

this is exactly what u need

only one more thing u need to add

which is the permit access list

for example

access-list 100 permit tcp any host 23.x.x.x eq 443

access-group 100 in interface outside

good luck

please, if helpful rate

Re: Port address translation in in PIX

samantha.lk — Thu, 14 Aug 2008 01:01:45 GMT

Many thanks for your valuble response.

I have already added that access-list antry also, even I forget to mention it there.

But unfortunately still it is not allowing outsiders to come inside through https.

DO i have to restart the firewall or do a clear xlate command inorder to work that?

further, is there any way to view whether this NAT is working? (any show command or something ..) when i do show xlate command

it only display as

Global 203.115.19.49 Local 10.50.x.xx

and no port numbers are showing.

your kind advice is appreciated.

Re: Port address translation in in PIX

Marwan ALshawi — Thu, 14 Aug 2008 01:13:22 GMT

r u using port 8443 as https in ur internal server?

basicly it should look like

static (inside,outside) tcp 203.xxx.xx.xxx https 10.50.4.10 https netmask 255.255.255.255

unless u have changed the port number

and sure as u mentioned u have to have permit ACL

do have th proper config on the server it self

i mean the default gateway and so on

try show nat ?

and see the available nat commands

also i would recommend u

after changing any NATing to do

clear xlate

if didnt work

reload the firewall

then test the nat again

good luck

please if helpful rate

Re: Port address translation in in PIX

samantha.lk — Thu, 14 Aug 2008 01:44:20 GMT

it was Nice to see your prompt response..

As u think I'm using port 8443 as https in my internal server.

let me expalin bit more about this senario.

previously our company requirment was provide access for outsiders to access this server on port 8443. (same as the servers https port 8443). so i make changes and it was working fine.

Now they wanted outsiders to access it through port 443 and redirecting that trafic as 8443 to the internal server from the PIX.(server side no change)

so what i have done was changed the previous one to one nat as bellow.

OLD- static (inside,outside) tcp 203.xxx.xx.xxx 10.50.4.10 netmask 255.255.255.255 0 0

NEW- static (inside,outside) tcp 203.xxx.xx.xxx https 10.50.4.10 8443 netmask 255.255.255.255 0 0

and provide access-list antry as

access-list 200 line 28 permit tcp any host 203.xxx.xx.xxx eq https

(this is my outside-inbound access list)

kindly mention whether it is really need to do clear xlate? is there any way to only remove a perticular entry?

when i do show nat it doesn't show all natings.(only 2 showing and i have many others also).

Kindly advice.

many thanks for spending your valuble time on this.

Re: Port address translation in in PIX

Marwan ALshawi — Thu, 14 Aug 2008 01:57:28 GMT

it needs clear xlate

and sometimes needs reloading the firewall !!

try it and let me know

Re: Port address translation in in PIX

Marwan ALshawi — Thu, 14 Aug 2008 04:07:25 GMT

did u get it working ?

Re: Port address translation in in PIX

samantha.lk — Thu, 14 Aug 2008 05:47:44 GMT

I reloaded the firewall and It is working now!!!

Many thanks for your valuble advices..

Re: Port address translation in in PIX

Marwan ALshawi — Thu, 14 Aug 2008 07:47:39 GMT

i am glad its working

and thanks for rating 🙂