04-21-2006 01:30 AM - edited 02-21-2020 12:51 AM
Hi Expert,
If I want to Dynamic NAT port range from 5500 to 5800, into my public IP which NAT to a private IP, how to configure?
Here the example,
public IP = x.x.x.x
private IP = z.z.z.z
NAT x.x.x.x port 5500-5800 to z.z.z.z port 5500-5800
The PIX firewall is running OS 6.3(4).
Customer actually need to enable for ftp trffic that allow client can dynamic used port within range 5500 and 5800.
Hope someone can help me on this, thank you.
Rgds,
Au Yeong Shaw Voel
Solved! Go to Solution.
04-24-2006 12:52 AM
I have checked your configs .. the only option you have is a static using 219.95.73.28 which is not used as yet.
static (inside,outside) 219.95.73.28 200.1.1.X netmask 255.255.255.255
access-list 101 permit tcp any host 219.95.73.28 range 5500 5800
Also I see that remote access using remote desktop is allowed from the Internet. Make your customer aware that this sort of access are a security risk as usernames and passwords travel on clear text. I suggest remote VPN set up for remote access. Anyway .. the instructions above will solve your current issue.
Please rate if you find this helpful
04-21-2006 02:56 AM
Try following
static (inside,outside) x.x.x.x access-list port_map
access-list port_map permit tcp any host z.z.z.z range 5500 5800
You need also configure outside access-list for permiting this traffic from outside
so add to you access-list on outside interface following line
access-list out permit tcp any host x.x.x.x range 5500 5800
If you are also using ftp protocol on non standart ports (5500 - 5800) you maybe need command
fixup protocol ftp on those ports
M.
Hope that helps rate if it does
04-22-2006 10:29 PM
Hi M,
But why it keep prompt error,
ERROR: cannot translate from IP protocol tcp to IP protocol ip
After I create the accee-list, when I try to key in the static command, it prompt this error.
Please help.
Thank you.
Rgds,
Au Yeong Shaw Voel
04-23-2006 12:05 AM
please paste ur access list and the static command ur tryin to issue here
04-23-2006 12:35 AM
Hi there .. I have been following your case as I have not had that requirement before ... I believe you already posted this issue a few days ago. I don't think the range of ports is supported by an static instruction on the PIX. I have tried several combinations on a lab and it just does not work.
I think your best option will be to perform a one to one static NAT and control the filtering on the access-list applied to the outside interface.
static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255
access-list outside-in permit tcp any host x.x.x.x range 5500 5800
04-23-2006 05:10 PM
Hi Fernando,
Yes, I would like to do the same thing as you told but my public IP already map to different IP with different port.
Here I attach my configuration, the IP that I would like to map a range 5500 to 5800 is 219.95.73.30, and my private IP is 200.1.1.5.
I don't think I can do one to one mapping anymore.
Or you have other solution for this?
Thank you.
Rgds,
Au Yeong Shaw Voel
04-23-2006 09:06 PM
like Fernando said... try this
static (inside,outside) 219.95.73.30 200.1.1.5 netmask 255.255.255.255
access-list outside-in permit tcp any host 219.95.73.30 range 5500 5800
access-group outside-in in interface outside
make sure 219.95.73.30 is not being used in any other static commands.. best thing.. remove all other statics , just keep ur interface Pat ..
when searching for outbound connection . the firewall will 1st see the static.. and use that for the host 200.1.1.5 since that is an exact match...
should work
then watch ur live log to see what traffic is coming thru and if indeed sessions for your ports are running
all the best..
will be great if u can assign points..
first to fernando..
vic
04-23-2006 10:58 PM
I am on the run right now .. will look at your config and see what other options ( if any ) you have ..
04-24-2006 12:52 AM
I have checked your configs .. the only option you have is a static using 219.95.73.28 which is not used as yet.
static (inside,outside) 219.95.73.28 200.1.1.X netmask 255.255.255.255
access-list 101 permit tcp any host 219.95.73.28 range 5500 5800
Also I see that remote access using remote desktop is allowed from the Internet. Make your customer aware that this sort of access are a security risk as usernames and passwords travel on clear text. I suggest remote VPN set up for remote access. Anyway .. the instructions above will solve your current issue.
Please rate if you find this helpful
04-24-2006 01:15 AM
Hi Fernando,
Thank. Let me try on your solution.
Rgds,
Au Yeong Shaw Voel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: