Pix 501 Port Forwarding

Unanswered Question
Jan 17th, 2008

How would I go about the following on a Pix 501?

The following ports need to be forwarded to the phone system (192.168.1.51):

2944 -2945

49150 - 49154

161 - 162

7

67

5070

5060

10020 - 10021

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Thu, 01/17/2008 - 07:19

Gabrielle-

You have two options; create a static for each each port or if you have multiple public IP's you can NAT the entire IP. Here's an example of each.

static (inside,outside) tcp interface 5070 192.168.1.51 5070 netmask 255.255.255.255

or to NAT the whole IP

static (inside,outside) [public IP] 192.168.1.51 netmask 255.255.255.255

Don't forget to create and apply your ACL as well.

HTH and please rate.

cozyk1515 Thu, 01/17/2008 - 07:23

Do I still need to do the ACL if I do option 1?

Also have you used the asdm for the pix? How is it? I prefer the CLI over the SDM for routers.

Collin Clark Thu, 01/17/2008 - 07:43

You need an ACL no matter what. The static builds the road for access and the ACLs are the cops that control the traffic. I prefer the CLI, much faster for me and more flexible.

cozyk1515 Thu, 01/17/2008 - 07:50

Sorry I hope I am not being a pain- I am a Router and Switch tech my Firewall person is out.

So I need to do a

access-list newaccesslist permit ip 192.168.1.51 255.255.255.0 eq 67

for each port?

Collin Clark Thu, 01/17/2008 - 08:15

Yes, but the just like on a router you need source address and destination address. Also the destination address is your public address. Also for more security restrict the ports instead of using IP. For example-

access-list newaccesslist permit ip 192.168.1.51 255.255.255.0 eq 67

should be

access-list newaccesslist permit tcp any host 1.1.1.1 eq 67

The any is the source address. If you only wanted the 15.1.2.0 network you would change any to 15.1.2.0 255.255.255.0 (note PIX/ASA does not use inverted subnet masks). The host keyword specifies a single host. It's the same as doing 1.1.1.1 255.255.255.255

As a quick side note you can also group ports together using object groups. Are you leaning towards multiple statics or just one full NAT? I can help you with ACL, give me a few minutes and I'll post it for you.

Collin Clark Thu, 01/17/2008 - 08:25

Here's what you should need. Anything in CAPS you will need to change to fit your real names and IP Addresses. One thing to note is you will not need a new access list if there is already any access list applied to that interface. You can append the entry below, but you will need to change the name of the access list to match the one that is currently applied. If you need help with that, post the results of show run | inc access-group. Also I'm assuming all the port you want opened up are TCP. If that is incorrect do not paste the config below. Let me know what ports are TCP and which are UDP and I'll create a new one for you.

object-group service INSERTNAME tcp

port-object range 2944 2945

port-object range 49150 49154

port-object range 161 162

port-object range 10020 10021

port-object 7

port-object 67

port-object 5060

port-object 5070

access-list newaccesslist extended permit tcp ANY host PUBLICIP object-group INSERTNAME

cozyk1515 Thu, 01/17/2008 - 08:28

Great I think that they are just going to do any any on the permit.

Thank you for you help !!!

Actions

This Discussion