cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
396
Views
0
Helpful
9
Replies

Dynamic PAT on PIX

shawvoel
Level 1
Level 1

Hi Expert,

If I want to Dynamic NAT port range from 5500 to 5800, into my public IP which NAT to a private IP, how to configure?

Here the example,

public IP = x.x.x.x

private IP = z.z.z.z

NAT x.x.x.x port 5500-5800 to z.z.z.z port 5500-5800

The PIX firewall is running OS 6.3(4).

Customer actually need to enable for ftp trffic that allow client can dynamic used port within range 5500 and 5800.

Hope someone can help me on this, thank you.

Rgds,

Au Yeong Shaw Voel

1 Accepted Solution

Accepted Solutions

I have checked your configs .. the only option you have is a static using 219.95.73.28 which is not used as yet.

static (inside,outside) 219.95.73.28 200.1.1.X netmask 255.255.255.255

access-list 101 permit tcp any host 219.95.73.28 range 5500 5800

Also I see that remote access using remote desktop is allowed from the Internet. Make your customer aware that this sort of access are a security risk as usernames and passwords travel on clear text. I suggest remote VPN set up for remote access. Anyway .. the instructions above will solve your current issue.

Please rate if you find this helpful

View solution in original post

9 Replies 9

m.sir
Level 7
Level 7

Try following

static (inside,outside) x.x.x.x access-list port_map

access-list port_map permit tcp any host z.z.z.z range 5500 5800

You need also configure outside access-list for permiting this traffic from outside

so add to you access-list on outside interface following line

access-list out permit tcp any host x.x.x.x range 5500 5800

If you are also using ftp protocol on non standart ports (5500 - 5800) you maybe need command

fixup protocol ftp on those ports

M.

Hope that helps rate if it does

Hi M,

But why it keep prompt error,

ERROR: cannot translate from IP protocol tcp to IP protocol ip

After I create the accee-list, when I try to key in the static command, it prompt this error.

Please help.

Thank you.

Rgds,

Au Yeong Shaw Voel

please paste ur access list and the static command ur tryin to issue here

Hi there .. I have been following your case as I have not had that requirement before ... I believe you already posted this issue a few days ago. I don't think the range of ports is supported by an static instruction on the PIX. I have tried several combinations on a lab and it just does not work.

I think your best option will be to perform a one to one static NAT and control the filtering on the access-list applied to the outside interface.

static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255

access-list outside-in permit tcp any host x.x.x.x range 5500 5800

Hi Fernando,

Yes, I would like to do the same thing as you told but my public IP already map to different IP with different port.

Here I attach my configuration, the IP that I would like to map a range 5500 to 5800 is 219.95.73.30, and my private IP is 200.1.1.5.

I don't think I can do one to one mapping anymore.

Or you have other solution for this?

Thank you.

Rgds,

Au Yeong Shaw Voel

like Fernando said... try this

static (inside,outside) 219.95.73.30 200.1.1.5 netmask 255.255.255.255

access-list outside-in permit tcp any host 219.95.73.30 range 5500 5800

access-group outside-in in interface outside

make sure 219.95.73.30 is not being used in any other static commands.. best thing.. remove all other statics , just keep ur interface Pat ..

when searching for outbound connection . the firewall will 1st see the static.. and use that for the host 200.1.1.5 since that is an exact match...

should work

then watch ur live log to see what traffic is coming thru and if indeed sessions for your ports are running

all the best..

will be great if u can assign points..

first to fernando..

vic

I am on the run right now .. will look at your config and see what other options ( if any ) you have ..

I have checked your configs .. the only option you have is a static using 219.95.73.28 which is not used as yet.

static (inside,outside) 219.95.73.28 200.1.1.X netmask 255.255.255.255

access-list 101 permit tcp any host 219.95.73.28 range 5500 5800

Also I see that remote access using remote desktop is allowed from the Internet. Make your customer aware that this sort of access are a security risk as usernames and passwords travel on clear text. I suggest remote VPN set up for remote access. Anyway .. the instructions above will solve your current issue.

Please rate if you find this helpful

Hi Fernando,

Thank. Let me try on your solution.

Rgds,

Au Yeong Shaw Voel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: