access to my network through pix 501

toyinsekoni · ‎06-13-2005

Hi, this i have battled for days(firdt time user), i know it should be easy, but it isn't working. I have a pix 501 6.3(4). I need to enable an outside user connect to my server (using pcAnywhere). if my inside ip is a.b.c.d and my outside ip is e.f.g.h, and the server i need the outsider to connect to is i.j.k.l. What do i do to enable is access my server. also what info does he need to give me. He gave me a 172.28.x.x (which is definately a reserved ip right? any assistance? In both PDM and console will be appreciated.

Thank you.

gfullage · ‎06-13-2005

For any access from outside->inside a PIX (called inbound), you need a static and an access-list. I'll also assume you only have one public IP address available to you, and it is currently configured on your outside interface, so you need to set up what's called a port static, so that only specific ports are mapped through to the internal host. PCAW uses TCP ports 5631 and 5632 so you need to map those through from your outside IP address to the your inside host.

The following should get you going:

static (inside,outside) tcp e.f.g.h 5631 i.j.k.l 5631 netmask 255.255.255.255

static (inside,outside) tcp e.f.g.h 5632 i.j.k.l 5632 netmask 255.255.255.255

access-list inbound permit tcp any host e.f.g.h range 5631-5632

access-list inbound in interface outside

This will allow access from anywhere to your inside host, so put a good PCAW password on it. Seems the IP address he's coming from is NAT'd somewhere (yes, 172.28.x.x is definately a private IP address and you will not see this coming into your PIX), so unless you cna figure what his actual IP address will be when it gets to you, you'll have to allow "any". If you do find out where he's coming from, replace the "any" in the access-list above with "host m.n.o.p" where m.n.o.p is his public IP address.

toyinsekoni · ‎06-14-2005

Hi gfullage, Thanks for the response, am have way there though. here's what i did:

Did the mapping which worked well, but the second access list line(access-list inbound in interface outside) says there's no such thing as "in". Going to the PDM, i noticed changes in the translation rule, but nothing in the access rule tab it remains any any inside(outbound) ip implicit outbound rule. What do i do?

thanks

NB the "range 5631-5632 wasn't accepted, it exectd without it.

gfullage · ‎06-14-2005

Bah, my humblest apologies, not enough coffee yesterday. Try the following:

access-list inbound permit tcp any host e.f.g.h eq 5631

access-list inbound permit tcp any host e.f.g.h eq 5632

access-group inbound in interface outside

toyinsekoni · ‎06-16-2005

Thanx bro, can't imaging how exited you get when you get things working. More to come.

Thanks gfullage.