PIX DHCP, port mapping and statics

seanm · ‎04-14-2004

Does anyone know whether or how well the PIX (520) supports port mapping and statics when using DHCP on the outside interface?

From the docs, it looks like I can configure port mapping via statics when using DHCP by specifying the interface keyword rather than an IP address, but what about configuring the corresponding ACL? Do I have to permit 0.0.0.0?

Thanks for any insight.

scoclayton · ‎04-15-2004

You would also use the 'interface' keyword in your ACL's (I think we added this in 6.3 code) to permit the traffic. These features should work fine though.

Scott

ehirsel · ‎04-15-2004

I believe that if the destination is a pix interface, then the acl on the outside interface would not apply. Is the acl you refer to going to be configured on the outside interface? If so, and you want to limit who can connect to your inside server, you can use this:

static (inside, outside) interface access-list list-name command

The access-list on the static command would contain statements such as these:

access-list acl01 permit ip host inside-host dest-host/dest-network

where the dest-host/net is not the pix interface, but the true network that you want to permit incoming connections to. Note that the acl statements are coded as if the true inside host was initiating the connection, even though that is not happeneing.

Let me know if this helps.

ehirsel · ‎04-15-2004

I forgot to mention in my prior post, that the info I gave is valid only for 6.3 code as it contains the policy nat/pat functions.

seanm · ‎04-18-2004

Thanks to all for the input, works perfectly.