Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

extendable

in the ip nat source static in my router, there is the EXTENDABLE option after the port number..what is the equivalent of that in my PIX? I have to permit the same in my firewall.

Thanks a lot.

  • Other Security Subjects
3 REPLIES
Gold

Re: extendable

Hello Erwin,

The answer to your question is ‘static translation’(see point 2 below) – the static cmd is used to map outside address to the inside address and you’ll need a access-list (ACL) to allow the outside traffic into your inside network.

What sort of service are you trying to permit via your firewall? What PIX IOS are you running? If it’s any of the following services then please use the ACL’s below.

The best way to write the ACL would be on a text-editor first such as notepad and then use copy and paste back onto the PIX config, makesure that you are in PIX config mode. Also, remember to save your config with cmd : ‘wr m’ (write memory), and remember to place a ‘no access-list outbound’ cmd as the first line of your modified ACL, this way when you paste back the ACL the old copy (if any) will be replaced correctly with the new copy of the ACL.

Use cmd ‘clear xlate’ after you have made the modifications on your PIX.

The ACL’s below are for ‘www’ access, https access, pop3/smtp access and domain access, you can modify them for your own use.

If you need to let traffic back in then please follow the instructions on point 2 below.

1 - ACL for outbound connections:

access-list outbound remark www

access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq www

access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq https

access-list outbound remark email

access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq pop3

access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq smtp

access-list outbound remark ns

access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq domain

access-list outbound permit udp 192.168.10.0 255.255.255.0 any eq domain

access-group outbound in interface inside

If you use inside local servers (proxy, NS, SMTP) use only host address in these access-lists.

2 - SMTP

Don’t forget to open inbound connection for incoming emails on outside interface.

static (inside,outside) 192.168.10.x netmask 255.255.255.255

access-list inbound permit tcp any host eq smtp

access-group inbound in interface outside

Hope this helps -

New Member

Re: extendable

I dont have any problem with what you have discussed above..My only concern as i've posted on my original queery is the counterpart in PIX of the EXTENDABLE port option in the router. The router has the ff. command

ip nat source static tcp 192.168.150.1 397 IP(public) 397 extendable

How will i allow the same in my PIX

Thanks.

New Member

Re: extendable

Sorry to interupt here, but what does "extendable" mean? I had to use it to get static nat working on my router, but I don't know why or what it does..(?)

287
Views
0
Helpful
3
Replies
This widget could not be displayed.