Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1341
Views
0
Helpful
5
Replies

PIX 501 Help Please!!!!!

chooser1
Level 1
Level 1

‎05-07-2002 03:15 PM - edited ‎02-20-2020 10:03 PM

Ok I have been through every thread on this forum and have found this same question posed several times but no answers seem to work for what I have currently and I never saw anyone say "Hey that worked" so I am posting it again......I know how to do port redirection on a static route on the PIX 501 or at least in theory how to do it(209.x.x.x being the outside interface and 10.x.x.x being the inside:

fixup protocol ftp 21

ip address outside 209.165.201.25 255.255.255.0

ip address inside 10.1.1.2 255.255.255.0

global (outside) 1 209.165.201.15

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 209.165.201.5 ftp 10.1.1.3 ftp netmask 255.255.255.255 0 0

What I do not understand is how to do this if you are pulling your ip via DHCP from the outside. Or with PIX 501 out of box config. How do you setup this whole sequence without giving an outside interface IP but rather just the outside interface as your point of exit and entry, then have that redirected to the inside machine of choice. The problem with the above sequence is once every 2 weeks or so my ISP changes my DHCP address so even if I do get it going with the above commands I would have to revert back to using dhcp setrout and then re-enter the configs again with the new IP. I would just like to start off by getting FTP running on an inside machine and having it accessible from the outside world. I am running Cisco PIX Firewall Version 6.1(2). Any help would be greatly appreciated. Thanks.

0 Helpful
5 Replies 5

rrich
Level 1
Level 1

‎05-07-2002 06:31 PM

Chooser,

Just saw a config that did this by substituing the keyword 'interface' in for the ip addresses you have configured... ie:

global (outside) 1 interface

and

static (inside,outside) tcp interface ftp 10.1.1.3 ftp ...

I think that's your ticket. Hope it helps!

Bob

0 Helpful

chooser1
Level 1
Level 1
In response to rrich

‎05-07-2002 08:42 PM

Here is my current Config that I have right now on my pix. I tried putting what you told me in there and then someone else told me about an access-list , group I should try. First I tried just what you told me. Then I tried both of these separately and then together and no go. I now included both of them so you could see what I have so far and maybe be able to tell me what I may be doing wrong. Thank you very much for your time.

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password blah blah blah

passwd blah blah blah

hostname blah

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list fromoutside permit tcp any host 192.168.1.250 eq ftp

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface ftp 192.168.1.250 ftp netmask 255.255.255.

255 0 0

access-group fromoutside in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:blah

0 Helpful

bz
Level 1
Level 1
In response to chooser1

‎05-08-2002 10:29 AM

I can point out that the access-list is incorrect, as for the exact syntax or if this can be done or not...I'm not sure. Right now, you access-list is pointing to the local address (192.168.1.250), it should be pointing to the global address, which in this case, the outside interface.

I think the syntax should be something like this:

access-list fromoutside permit tcp any host 'outside-interface' eq ftp

I don't think the PIX is gonna take this though.

0 Helpful

rsnider
Level 1
Level 1

‎05-09-2002 08:25 AM

You need to have a static public IP address for the outside interface of the pix inorder to host any kind of server that is to be accessed from the internet. Without this no one could find your site and connect to it. Ask your ISP if they have a way arround this.

0 Helpful

chooser1
Level 1
Level 1
In response to rsnider

‎05-10-2002 10:17 AM

Thanks a lot for helping out. I have been so swamped with work of late that I havent been on her for a day or two. I will try all the suggestions on my PIX tonight. Again thank you guys very much for your input.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card