01-17-2008 05:03 AM - edited 03-05-2019 08:32 PM
How would I go about the following on a Pix 501?
The following ports need to be forwarded to the phone system (192.168.1.51):
2944 -2945
49150 - 49154
161 - 162
7
67
5070
5060
10020 - 10021
01-17-2008 07:19 AM
Gabrielle-
You have two options; create a static for each each port or if you have multiple public IP's you can NAT the entire IP. Here's an example of each.
static (inside,outside) tcp interface 5070 192.168.1.51 5070 netmask 255.255.255.255
or to NAT the whole IP
static (inside,outside) [public IP] 192.168.1.51 netmask 255.255.255.255
Don't forget to create and apply your ACL as well.
HTH and please rate.
01-17-2008 07:23 AM
Do I still need to do the ACL if I do option 1?
Also have you used the asdm for the pix? How is it? I prefer the CLI over the SDM for routers.
01-17-2008 07:43 AM
You need an ACL no matter what. The static builds the road for access and the ACLs are the cops that control the traffic. I prefer the CLI, much faster for me and more flexible.
01-17-2008 07:50 AM
Sorry I hope I am not being a pain- I am a Router and Switch tech my Firewall person is out.
So I need to do a
access-list newaccesslist permit ip 192.168.1.51 255.255.255.0 eq 67
for each port?
01-17-2008 08:15 AM
Yes, but the just like on a router you need source address and destination address. Also the destination address is your public address. Also for more security restrict the ports instead of using IP. For example-
access-list newaccesslist permit ip 192.168.1.51 255.255.255.0 eq 67
should be
access-list newaccesslist permit tcp any host 1.1.1.1 eq 67
The any is the source address. If you only wanted the 15.1.2.0 network you would change any to 15.1.2.0 255.255.255.0 (note PIX/ASA does not use inverted subnet masks). The host keyword specifies a single host. It's the same as doing 1.1.1.1 255.255.255.255
As a quick side note you can also group ports together using object groups. Are you leaning towards multiple statics or just one full NAT? I can help you with ACL, give me a few minutes and I'll post it for you.
01-17-2008 08:25 AM
Here's what you should need. Anything in CAPS you will need to change to fit your real names and IP Addresses. One thing to note is you will not need a new access list if there is already any access list applied to that interface. You can append the entry below, but you will need to change the name of the access list to match the one that is currently applied. If you need help with that, post the results of show run | inc access-group. Also I'm assuming all the port you want opened up are TCP. If that is incorrect do not paste the config below. Let me know what ports are TCP and which are UDP and I'll create a new one for you.
object-group service INSERTNAME tcp
port-object range 2944 2945
port-object range 49150 49154
port-object range 161 162
port-object range 10020 10021
port-object 7
port-object 67
port-object 5060
port-object 5070
access-list newaccesslist extended permit tcp ANY host PUBLICIP object-group INSERTNAME
01-17-2008 08:28 AM
Great I think that they are just going to do any any on the permit.
Thank you for you help !!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: