Re: PIX 501 and Static NAT

ComInduno · ‎11-13-2012

Hello,

i am a niubie here and i need a suggestion how to configure my Pix 501.

I have an IP Phone which need to reach the IP Central which is in another lan and i need to arrive there with the ADSL connection.

Now i have a public ip on my PIX (89.x.x.34) and i'll point there with the IP phone. But i have to tell the PIX to forward all the traffic UDP and TCP arriving from the port 5060 and forward it in the corresponding internal LAN IP of the IP Central (192.168.x.50).

They told me to open ports of the range UDP 10.000 - 15.000 but i don't know why.

As i told you i am new and i don't know how to do it

I tryed the following but without success:

try #1: ip nat inside source static tcp 192.168.x.50 5060 89.x.x.34 5060 extendable

try #2: static (inside) TCP 192.168.x.50 89.x.x.34 eq 5060

do you have any suggestions to help me?

Thanks in advance.

Stefano

Muhammad Thanveer · ‎11-14-2012

Hi Stefano,

For a static NAT you would do this

static (inside,outside) 89.x.x.34 192.168.5.6 netmask 255.255.255.255

For allowing ports of tcp and udp

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list acl_out extended permit object-group TCPUDP any host 89.x.x.34 range 10000 15000

access-list acl_out extended permit udp any host 89.x.x.34 eq sip

access-group acl_out in interface outside

Here Sip refers toport 5060

Please dont forget to rate helpful posts.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

ComInduno · ‎11-14-2012

hi there,

first of all thanks for the answer.

I have some questions:

This line

static (inside,outside) 89.x.x.34 192.168.5.6 netmask 255.255.255.255

forwards all the traffic on the il 192.168.5.6 but i have to forward just the protocol 5060 UDP and 5060 FTP traffic on that ip, if i apply that line (and i did ;-) LOL) i blocked all the web on the other clients, so i had to remove the line. To do what i need is enought do this:

static (inside,outside) 89.x.x.34 192.168.5.6 netmask 255.255.255.255 eq 5060 (??)

or this

static (inside,outside) UDP 89.x.x.34 192.168.5.6 netmask 255.255.255.255 (??)

static (inside,outside) FTP 89.x.x.34 192.168.5.6 netmask 255.255.255.255 (??)

i couldn't complete the configuation because when i finished to write the line

protocol-object tcp

and i was in this mode DevicePIX(protocol-conf)#

i tryed to write the access-list part but when i finished to type the 1st line it told me

ERROR: not a valid permission

Can you help me to solve this problem?

Thanks you in advance for your kind answer.

Stefano

PS: My PIX Version is the 6.3(5)

Muhammad Thanveer · ‎11-14-2012

I forget to write a line

access-group acl_out in interface outside by this you arte only allowing the ports tcp and udp for the range 10000 to 150000

static (inside,outside) 89.x.x.34 192.168.x.50 netmask 255.255.255.255 eq 5060

nat (inside) 1 192.168.x.50 255.255.255.255
by this you are allowing internet access to the 192.168.x.50 with the port 5060 only

try this

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."