11-12-2004 08:58 AM - edited 02-20-2020 11:44 PM
Hi
First time user on the PIX and wondering based on current config what is the best way to forward a range of IP ports to a dedicated internal server.
Thanks for the help
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname pix
domain-name
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol http 80
no fixup protocol smtp 25
names
access-list 111 permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list 111 permit icmp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list MAIL permit gre any host 1.10.20.20
access-list MAIL permit tcp any host 1.10.20.20 eq 1723
access-list MAIL permit tcp any host 1.10.20.20 eq smtp
pager lines 24
logging on
logging timestamp
logging trap errors
logging history errors
logging facility 0
logging host inside 10.0.0.5
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 1.10.20.18 255.255.255.248
ip address inside 10.0.0.254 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.5 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 10.0.0.251 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 1.10.20.19
nat (inside) 0 access-list 111
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (inside,outside) 1.10.20.20 10.0.0.3 netmask 255.255.255.255 0 0
access-group MAIL in interface outside
conduit permit tcp host 1.10.20.20 eq smtp any
route outside 0.0.0.0 0.0.0.0 1.10.20.17 1
route inside 10.1.0.0 255.255.0.0 10.0.1.100 1
11-12-2004 09:37 AM
The best way to do this is to create a dedicated 1:1 static like you already have:
static (inside,outside) 1.10.20.20 10.0.0.3 netmask 255.255.255.255 0 0
but I assume you are asking for something a little more specific. Are you trying use the 1.10.20.20 address for multiple internal servers? Perhaps a little more detail will help in clarifying this.
Scott
11-12-2004 10:26 AM
Yes I would like to use 1.10.20.20 to multiple servers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide