Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

prefered format for PIX515E

Hello, I'm configuring a new PIX515E, and i'm a bit confused as to the proper fromat to use with regards to access-list/static command. I see 2 ways of doing things, and they both work... so if someone can explain which is the proper way, I'd appreciate it.

they are:

access-list ACL_OUT permit tcp any host xx.xx.xx.44 eq www

static (inside,outside) tcp xx.xx.xx.44 www 10.99.18.60 www netmask 255.255.255.255 0 0

access-group ACL_OUT in interface outside

OR

access-list ACL_OUT permit tcp any host xx.xx.xx.44 eq www

static (inside,outside) xx.xx.xx.44 10.99.18.60 netmask 255.255.255.255

access-group ACL_OUT in interface outside

Thanks!

William

  • Other Security Subjects
4 REPLIES
Gold

Re: prefered format for PIX515E

Hi Bill,

in 1st example is static NAT from xx.xx.xx.44 to 10.99.18.60 ONLY for http(www) traffic NO other traffic is NATed

in 2nd example is NATed ALL IP traffic

First example is considered to be more secure..

M.

Hope that helps rate if it does

New Member

Re: prefered format for PIX515E

great, thanks!

Silver

Re: prefered format for PIX515E

using the port number in the static command is typically used if you want to change port numbers. Ex to change port 80 to 8080. The second config you show would be standard way since you are not changing port numbers.

Hope this helps.

Steve

New Member

Re: prefered format for PIX515E

OH OH. now i'm more confused!

ok. maybe I should explain the setup?

IF I have my outside IP: 200.XX.20.20

and my inside subnet: 192.168.0.0

if I want to have a dedicated nat from outside to inside for web, which format would I need to use?

access-list ACL_OUT permit tcp any host xx.xx.xx.44 eq www

static (inside,outside) tcp xx.xx.xx.44 www 192.168.0.60 www netmask 255.255.255.255 0 0

OR

static (inside,outside) xx.xx.xx.44 192.168.0.60 netmask 255.255.255.255

now it makes sense to use the first: because i'm not changing ports, just sending the outside traffic to the inside IP...

I hope this clarifies things.

Thanks

Will

181
Views
0
Helpful
4
Replies
This widget could not be displayed.