PIX 501 Natting

bkaren1278 · ‎11-28-2005

I have a PIX 501 behind a comcast cable modem. I need to send port 21 to 1 internal IP and the following ports to another internal:

SIP ports 5060 through 5061 using UDP protocol

NTP port 123 using UDP protocol

TFTP port 69 using UDP protocol

DNS port 53 using UDP protocol

RTP ports 10,000 through 20,000 using UDP protocol

Does anyone have any ideas as i cannot NAT a range of ports (to my knowledge) and it would take forever to manually enter 10,000+ single NAT entries.

spremkumar · ‎11-28-2005

Hi

You can do static port mapping between the public ip and the inside ips .

Also u need to enable the access for the same so that i can be accessible from outside network..

do find this link which speaks about mapping the smtp port to a inside ip address and also enabling the access from the outside world using the public ip adderss..

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml#configs

regds

bkaren1278 · ‎11-28-2005

Hmm let me try to elaborate more on my question:

I have 1 public IP given dynamically by my cable modem.

I have 2 internal IPs

In my current setup i have a NAT of Outside to 192.168.151.10 on port 21

I now have to add Nats for the following to 192.168.151.4

SIP ports 5060 through 5061 using UDP protocol

NTP port 123 using UDP protocol

TFTP port 69 using UDP protocol

DNS port 53 using UDP protocol

RTP ports 10,000 through 20,000 using UDP protocol

Michael Stuckey · ‎11-28-2005

Here is some infor from the ciso site, you will always have to know your IP address or set up your remote access using Dynamic DNS.

Static PAT Examples

To redirect Telnet traffic from the PIX Firewall outside interface to the inside host at 10.1.1.15, enter:

static (inside,outside) tcp interface telnet 10.1.1.15 telnet netmask 255.255.255.255

To redirect FTP traffic from the PIX Firewall outside interface to the inside host at 10.1.1.30, enter:

static (inside,outside) tcp interface ftp 10.1.1.30 ftp netmask 255.255.255.255

To redirect DNS traffic from the PIX Firewall outside interface to the inside host at 10.1.1.30, enter:

static (inside,outside) udp interface domain 10.1.1.30 domain netmask 255.255.255.255

If this helps rate the comments.

Mike

bkaren1278 · ‎11-28-2005

This solution would be perfect except you cannot nat port ranges.

i.e. i cannot say

static (inside,outside) udp interface eq 10000-20000 10.1.1.30 eq 10000-20000 netmask 255.255.255.255

any other suggestions are greatly appreciated?

Michael Stuckey · ‎11-28-2005

You might want to try the access list feature and see if it will work for you.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694

static

Configure a one-to-one address translation rule by mapping a local IP address to a global IP address, or a local port to a global port.

[no] static [(local_ifc,global_ifc)] {global_ip | interface} {local_ip [netmask mask] | access-list acl_name} [dns] [norandomseq] [max_conns [emb_limit]]

[no] static [(local_ifc,global_ifc)] {tcp | udp} {global_ip | interface} global_port {local_ip local_port [netmask mask] | access-list acl_name} [dns] [norandomseq] [max_conns [emb_limit]]

show static

Syntax Description

access-list

Lets you identify local traffic for network address translation (NAT) by specifying the local and destination addresses (or ports). This feature is known as policy NAT.

The subnet mask used in the access list is also used for the global_ip.

You can only include permit statements in the access list.