cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1271
Views
0
Helpful
2
Replies

PIX 501 Port Redirection

chooser1
Level 1
Level 1

Ok I have been through every thread on this forum and have found this same question posed several times but no answers seem to work for what I have currently and I never saw anyone say "Hey that worked" so I am posting it again......I know how to do port redirection on a static route on the PIX 501 or at least in theory how to do it(209.x.x.x being the outside interface and 10.x.x.x being the inside:

fixup protocol ftp 21

ip address outside 209.165.201.25 255.255.255.0

ip address inside 10.1.1.2 255.255.255.0

global (outside) 1 209.165.201.15

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 209.165.201.5 telnet 10.1.1.6 telnet netmask 255.255.255.255 0 0

static (inside,outside) tcp 209.165.201.5 ftp 10.1.1.3 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp 209.165.201.15 telnet 10.1.1.4 telnet netmask 255.255.255.255 0 0

What I do not understand is how to do this if you are pulling your ip via DHCP from the outside. Or with PIX 501 out of box config. How do you setup this whole sequence without giving an outside interface IP but rather just the outside interface as your point of exit and entry, then have that redirected to the inside machine of choice. The problem with the above sequence is once every 2 weeks or so my ISP changes my DHCP address so even if I do get it going with the above commands I would have to revert back to using dhcp setrout and then re-enter the configs again with the new IP. I would just like to start off by getting FTP running on an inside machine and having it accessible from the outside world. I am running Cisco PIX Firewall Version 6.1(2). Any help would be greatly appreciated. Thanks.

2 Replies 2

gradosavljevic
Level 1
Level 1

If I understand you correct, and to keep it simple :

Users on the outside are not able to connenct to your FTP because the outside address of the PIX changes from time to time..???

Assuming I got this correct, and also assumng that the outside interface allocates it address with some kind of DHCP, the 6.2 version (I know you are running 6.1, so you might have to upgrade) supports in the STATIC statement a reference to a dynamic IP address. So in your case I guess this would do the trick:

static (inside,outside) tcp OUTSIDE ftp 10.1.1.3 ftp netmask 255.255.255.255

??!!

Good luck

Goran

I take that back,.... I misunderstood the documentation, however You might want to try

static (inside,outside) tcp INTERFACE ftp 10.1.1.3 ftp netmask 255.255.255.255

... but I'm not sure on this one....

Sorry :-(

Review Cisco Networking for a $25 gift card