Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix 501 Port Forwarding

How would I go about the following on a Pix 501?

The following ports need to be forwarded to the phone system (192.168.1.51):

2944 -2945

49150 - 49154

161 - 162

7

67

5070

5060

10020 - 10021

  • LAN Switching and Routing
7 REPLIES

Re: Pix 501 Port Forwarding

Gabrielle-

You have two options; create a static for each each port or if you have multiple public IP's you can NAT the entire IP. Here's an example of each.

static (inside,outside) tcp interface 5070 192.168.1.51 5070 netmask 255.255.255.255

or to NAT the whole IP

static (inside,outside) [public IP] 192.168.1.51 netmask 255.255.255.255

Don't forget to create and apply your ACL as well.

HTH and please rate.

New Member

Re: Pix 501 Port Forwarding

Do I still need to do the ACL if I do option 1?

Also have you used the asdm for the pix? How is it? I prefer the CLI over the SDM for routers.

Re: Pix 501 Port Forwarding

You need an ACL no matter what. The static builds the road for access and the ACLs are the cops that control the traffic. I prefer the CLI, much faster for me and more flexible.

New Member

Re: Pix 501 Port Forwarding

Sorry I hope I am not being a pain- I am a Router and Switch tech my Firewall person is out.

So I need to do a

access-list newaccesslist permit ip 192.168.1.51 255.255.255.0 eq 67

for each port?

Re: Pix 501 Port Forwarding

Yes, but the just like on a router you need source address and destination address. Also the destination address is your public address. Also for more security restrict the ports instead of using IP. For example-

access-list newaccesslist permit ip 192.168.1.51 255.255.255.0 eq 67

should be

access-list newaccesslist permit tcp any host 1.1.1.1 eq 67

The any is the source address. If you only wanted the 15.1.2.0 network you would change any to 15.1.2.0 255.255.255.0 (note PIX/ASA does not use inverted subnet masks). The host keyword specifies a single host. It's the same as doing 1.1.1.1 255.255.255.255

As a quick side note you can also group ports together using object groups. Are you leaning towards multiple statics or just one full NAT? I can help you with ACL, give me a few minutes and I'll post it for you.

Re: Pix 501 Port Forwarding

Here's what you should need. Anything in CAPS you will need to change to fit your real names and IP Addresses. One thing to note is you will not need a new access list if there is already any access list applied to that interface. You can append the entry below, but you will need to change the name of the access list to match the one that is currently applied. If you need help with that, post the results of show run | inc access-group. Also I'm assuming all the port you want opened up are TCP. If that is incorrect do not paste the config below. Let me know what ports are TCP and which are UDP and I'll create a new one for you.

object-group service INSERTNAME tcp

port-object range 2944 2945

port-object range 49150 49154

port-object range 161 162

port-object range 10020 10021

port-object 7

port-object 67

port-object 5060

port-object 5070

access-list newaccesslist extended permit tcp ANY host PUBLICIP object-group INSERTNAME

New Member

Re: Pix 501 Port Forwarding

Great I think that they are just going to do any any on the permit.

Thank you for you help !!!

197
Views
5
Helpful
7
Replies
This widget could not be displayed.