Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
3
Replies

extendable

rpalacio
Level 1
Level 1

‎07-12-2003 09:48 PM - edited ‎03-09-2019 04:00 AM

in the ip nat source static in my router, there is the EXTENDABLE option after the port number..what is the equivalent of that in my PIX? I have to permit the same in my firewall.

Thanks a lot.

Labels:
0 Helpful
3 Replies 3

jmia
Level 7
Level 7

‎07-13-2003 01:05 AM

Hello Erwin,

The answer to your question is ‘static translation’(see point 2 below) – the static cmd is used to map outside address to the inside address and you’ll need a access-list (ACL) to allow the outside traffic into your inside network.

What sort of service are you trying to permit via your firewall? What PIX IOS are you running? If it’s any of the following services then please use the ACL’s below.

The best way to write the ACL would be on a text-editor first such as notepad and then use copy and paste back onto the PIX config, makesure that you are in PIX config mode. Also, remember to save your config with cmd : ‘wr m’ (write memory), and remember to place a ‘no access-list outbound’ cmd as the first line of your modified ACL, this way when you paste back the ACL the old copy (if any) will be replaced correctly with the new copy of the ACL.

Use cmd ‘clear xlate’ after you have made the modifications on your PIX.

The ACL’s below are for ‘www’ access, https access, pop3/smtp access and domain access, you can modify them for your own use.

If you need to let traffic back in then please follow the instructions on point 2 below.

1 - ACL for outbound connections:

access-list outbound remark www

access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq www

access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq https

access-list outbound remark email

access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq pop3

access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq smtp

access-list outbound remark ns

access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq domain

access-list outbound permit udp 192.168.10.0 255.255.255.0 any eq domain

access-group outbound in interface inside

If you use inside local servers (proxy, NS, SMTP) use only host address in these access-lists.

2 - SMTP

Don’t forget to open inbound connection for incoming emails on outside interface.

static (inside,outside) 192.168.10.x netmask 255.255.255.255

access-list inbound permit tcp any host eq smtp

access-group inbound in interface outside

Hope this helps -

0 Helpful

rpalacio
Level 1
Level 1
In response to jmia

‎07-13-2003 10:13 PM

I dont have any problem with what you have discussed above..My only concern as i've posted on my original queery is the counterpart in PIX of the EXTENDABLE port option in the router. The router has the ff. command

ip nat source static tcp 192.168.150.1 397 IP(public) 397 extendable

How will i allow the same in my PIX

Thanks.

0 Helpful

r-lemaster
Level 1
Level 1

‎07-15-2003 08:14 AM

Sorry to interupt here, but what does "extendable" mean? I had to use it to get static nat working on my router, but I don't know why or what it does..(?)

0 Helpful
Customers Also Viewed These Support Documents