Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
509
Views
0
Helpful
4
Replies

PIX 501 allow PC Anywhere PAT

revahi
Level 1
Level 1

‎01-26-2003 09:15 AM - edited ‎02-20-2020 10:31 PM

Greeting all Cisco PIX followers and enthusiasts.

I've successfully set up the PIX to allow traffic inside to outside without a problem.

I'm having having trouble setting up ACL's for ports, say, 5631 through 5636 on single static IP address assigned by the ISP. Unable to ping to global IP.

I prefer not use conduits. I've setup a static route like so; static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 as the PIX is connected to a router on the outside that does all the NAT'ing. Did not use the NAT 0 method.

192.168.1.0 is the network IP of the inside LAN.

I've tried the following:

access-list pcany_data permit tcp any host 211.236.247.237 eq 5631

access-list pcany_status permit udp any host 211.236.247.237 eq 5632

access-group pcany_data in interface outside

access-group pcany_status in interface outside

The 211.236 etc. is the global IP assigned statically by my ISP.

Any comments regarding the syntax of these commands if they are incorrect or if there is another way.

A response encourages me to do likewise those that I can help out as well.

Isaac

0 Helpful
4 Replies 4

pavlosd
Level 2
Level 2

‎01-26-2003 12:52 PM

You say that the 211.236 etc. is the global IP assigned statically by your ISP. what about the station that run PCAnywhere? Is it inside PIX firewall? If yes who takes care of the NAT for that host? The cisco router? If yes then your access-lists should change and be like:

access-list pcany permit tcp any host 192.168.1.x eq 5631

access-list pcany permit udp any host 192.168.1.x eq 5632

access-group pcany in interface outside

I hope that helps...

0 Helpful

revahi
Level 1
Level 1
In response to pavlosd

‎01-30-2003 04:13 AM

Thank you for your response, answer to questions are

Global IP is bound the WAN interface on the router.

The router does all the NAT work not the PIX

The router is attached to the outside (off E0)

Station that hosts PC Anyhwere is on the inside (off E1).

I've already tried the access-list commands before I sent off my first posting.

At least that shows I'm heading in the right direction.

Should I post the complete text output of show configure ? it's rather long.

0 Helpful

revahi
Level 1
Level 1
In response to pavlosd

‎01-31-2003 04:57 AM

It appears the reponse by pavlosd is correct.

What I didn't know at the time though is any number of rules are possible to add to one acl list name but trying to create mutiple acl's and then applying them in succession by access-group in interface command only applies the last acl name in the access-group overiding all those before it and is only applicable where muliple interfaces are available and dirrent acl's for each interface.

0 Helpful

wolfrikk
Level 3
Level 3

‎01-31-2003 05:05 AM

One problem is you can only have one access-list applied to an interface for each direction. You have tried to add two named access-list to the same interface in the same direction. If you do a wr t, only one should be listed.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card