Re: Pix 501 - How to Port Forward

ggriffin · ‎11-03-2004

Hello,

My sincerest apologies, as this may have been answered in about a million posts here, but I've been unable to find it.

I just installed a PIX 501 in a simple network. DSL router to pix firewall to internal network.

I need to forward several ports for various services. 80, 25, 21, etc....

I have tried to find how to do this from the CLI. Basically, I've found a TON of config files, but I cannot determine exactly what I should enter on the command line. Could someone please give me what commands I need to enter to get this working?

My humble thanks,

Gary

Patrick Iseli · ‎11-03-2004

Here is an example:

Server with ftp, www and smtp is in my example: 192.168.1.2

Inside Network is: 192.168.1.0/24

Outside is Dynamic (DHCP or PPOE)

access-list acl-out permit tcp any interface outside eq 80

access-list acl-out permit tcp any interface outside eq 21

access-list acl-out permit tcp any interface outside eq 25

access-group acl-out in interface outside

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 21 192.168.1.2 21 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 25 192.168.1.2 25 netmask 255.255.255.255 0 0

Check also this document:

Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

sincerely

Patrick

ggriffin · ‎11-03-2004

Thanks for the quick reply!

So, when I telnet to the 501, I would enter the following commands, keeping in mind that my internal server ip is 192.168.0.3 and I have a static IP on the outside (not dhcp, or ppoe)

access-list acl-out permit tcp any interface outside eq 80

access-list acl-out permit tcp any interface outside eq 21

access-list acl-out permit tcp any interface outside eq 25

access-group acl-out in interface outside

global (outside) 1 68.16.150.78 255.255.255.248

nat (inside) 1 192.168.0.3 255.255.255.0

static (inside,outside) tcp interface 80 192.168.0.3 80 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 21 192.168.0.3 21 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 25 192.168.0.3 25 netmask 255.255.255.255 0 0

And if I enter the above 9 commands, then I should expect to be able to hit the PIX on port 25 via the outside interface, and it forward to my smtp server internally?

Sorry if I seem totally confused.

Gary

Patrick Iseli · ‎11-03-2004

You can use also a fixed static IP instead of the outside IP address.

access-list acl-out permit tcp any interface outside eq 80

# This means that all traffic to the outside IP (interface outside) on port 80 is accespted. Next is NAT:

static (inside,outside) tcp interface 80 192.168.0.3 80 netmask 255.255.255.255 0 0

# This means that all traffic with port 80 in interface outsides IP will forwarded on Internal 192.168.0.3 Server with port 80.

Port forwarding is usually used when you just have one IP and no other Public IP, a static one or a dynamic.

If you would have a public IP range, lets say 199.199.199.1-15 it is like that.

access-list acl_outside permit tcp any host WWW-Public2 eq www

static (dmz,outside) WWW-Public2 WWW-DMZ netmask 255.255.255.255 0 0

access-group acl_outside in interface outside

WWWPublic is another Public IP address than the PIX outside IP. Otherwise the static could not work as it is NAT.

By the way:

nat (inside) 1 192.168.0.3 255.255.255.0

#should be a network not a host (192.168.0.3)

#To allow the whole network:

nat (inside) 1 192.168.0.0 255.255.255.0

#To allow a host:

nat (inside) 1 192.168.0.3 255.255.255.255

hope it is more clear

Patrick