11-13-2012 11:05 PM - edited 03-11-2019 05:23 PM
Hello,
i am a niubie here and i need a suggestion how to configure my Pix 501.
I have an IP Phone which need to reach the IP Central which is in another lan and i need to arrive there with the ADSL connection.
Now i have a public ip on my PIX (89.x.x.34) and i'll point there with the IP phone. But i have to tell the PIX to forward all the traffic UDP and TCP arriving from the port 5060 and forward it in the corresponding internal LAN IP of the IP Central (192.168.x.50).
They told me to open ports of the range UDP 10.000 - 15.000 but i don't know why.
As i told you i am new and i don't know how to do it
I tryed the following but without success:
try #1: ip nat inside source static tcp 192.168.x.50 5060 89.x.x.34 5060 extendable
try #2: static (inside) TCP 192.168.x.50 89.x.x.34 eq 5060
do you have any suggestions to help me?
Thanks in advance.
Stefano
11-14-2012 02:09 AM
Hi Stefano,
For a static NAT you would do this
static (inside,outside) 89.x.x.34 192.168.5.6 netmask 255.255.255.255
For allowing ports of tcp and udp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list acl_out extended permit object-group TCPUDP any host 89.x.x.34 range 10000 15000
access-list acl_out extended permit udp any host 89.x.x.34 eq sip
access-group acl_out in interface outside
Here Sip refers toport 5060
Please dont forget to rate helpful posts.
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
11-14-2012 03:00 AM
hi there,
first of all thanks for the answer.
I have some questions:
This line
static (inside,outside) 89.x.x.34 192.168.5.6 netmask 255.255.255.255
forwards all the traffic on the il 192.168.5.6 but i have to forward just the protocol 5060 UDP and 5060 FTP traffic on that ip, if i apply that line (and i did ;-) LOL) i blocked all the web on the other clients, so i had to remove the line. To do what i need is enought do this:
static (inside,outside) 89.x.x.34 192.168.5.6 netmask 255.255.255.255 eq 5060 (??)
or this
static (inside,outside) UDP 89.x.x.34 192.168.5.6 netmask 255.255.255.255 (??)
static (inside,outside) FTP 89.x.x.34 192.168.5.6 netmask 255.255.255.255 (??)
i couldn't complete the configuation because when i finished to write the line
protocol-object tcp
and i was in this mode DevicePIX(protocol-conf)#
i tryed to write the access-list part but when i finished to type the 1st line it told me
ERROR:
Can you help me to solve this problem?
Thanks you in advance for your kind answer.
Stefano
PS: My PIX Version is the 6.3(5)
11-14-2012 04:39 AM
I forget to write a line
access-group acl_out in interface outside by this you arte only allowing the ports tcp and udp for the range 10000 to 150000
static (inside,outside) 89.x.x.34 192.168.x.50 netmask 255.255.255.255 eq 5060
nat (inside) 1 192.168.x.50 255.255.255.255
by this you are allowing internet access to the 192.168.x.50 with the port 5060 only
try this
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide