cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
544
Views
0
Helpful
7
Replies

Opening up a port

wgranada1
Level 1
Level 1

Question for you I have a 515E firewall and I have an internal machine that needs to connect an external host on the internet inorder for me to do that all I would need to do is:

nat(inside) 100 205.240.197.50 255.255.255.255

global(outside) 100 38.115.156.104

I don't need to specify the ip address and port number of the distant end machine:

nat(inside) 100 205.240.197.50 255.255.255.255 216.23.224.181 4001

7 Replies 7

acomiskey
Level 10
Level 10

Um, not quite. Define what all those ip's are for us and we'll show you how to do it. I'm assuming you cannot get anywhere outside yet? As long as you don't have an acl on the inside interface and your nat is set up, inside will be able to go anywhere outside by default.

I have an internal machine 205.240.197.50 and I need it to connect to an external machine via the internet. The external machines ip and port are 216.23.224.181 port 4001

IP address 38.115.156.104 is cognet the internet provider

sorry to answer your question yes currently that internal machine cannot get out it this is a new connection

Allowing the port out is not your problem. Can you post your pix config and give us a topology of your network with ip address scheme. thanks.

Here is config...

topology goes as follows:

chirt1 -> chipix1 -> chirt5 -> Cogent network

hi,

an example:

inside ip: 1.1.1.1

an ip address on internet : 4.2.2.2

inside ip need to contact 4.2.2.2

what u need :

nat (inside) 1 1.1.1.1

global (outside) 1 interface

1.1.1.1 while going outside on internet to 4.2.2.2 will get translated to the outside interfaces ip address.

source ip address on inside : 1.1.1.1

destination ip address on inside : 4.2.2.2

_______________

when this packet reaches the outside interface of firewall:

source ip address of packet : outside interface's ip address.

destination ip address : 4.2.2.2

____________________

inside:sec level 100

outside: sec level 0

when u send traffic from higher sec level interface (inside) to lower sec level interface (outside),you need the translation rule defined for nat or pat.

(nat and global ) commands.

as we say,by default the traffic is allowed from higher sec zone to lower one,by that we mean that we do not need any access-list to permit the traffic.

that is,if there's no access-list on inside interface,all the traffic is allowed to go to outside ,if we have corresponding nat and global.

if you have put even a single access-list on inside interface,then you need to define access-list for all the traffic,you need to permit.( as in the end of the access-list,there's an implicit deny ).

now,in your case,you should be able to access that remote ip on internet.

hope this clears how pix/asa works.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: