Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix 515UR ver. 6.3(4) Port Forwarding

I've read a number of postings about port forwarding, but my question is still unanswered. I need to port forward from an external port 8000 to an internal port 8080. I can do so with the command:

static (inside,outside) TCP aaa.bbb.ccc.ddd 8000 172.16.1.27 8080 netmask 255.255.255.255 0 0

What do I do about other traffic that comes in on this external ip address? Do I add an additional line:

static (inside,outside) TCP aaa.bbb.ccc.ddd 172.16.1.27 netmask 255.255.255.255 0 0

so that other traffic can come in and be controlled by the ACL?

Thanks in Advance

7 REPLIES

Re: Pix 515UR ver. 6.3(4) Port Forwarding

You will need an acl to allow traffic on port 8000 as well. The static determines how to handle the traffic; the acl is required to allow it first of all.

So in fact, you only need to define traffic that should be allowed in, the rest will be blocked at the outside.

Hope this answers your question.

Regards,

Leo

New Member

Re: Pix 515UR ver. 6.3(4) Port Forwarding

Leo,

Thanks...but just to clarify...

My ACL will look like:

access-list incoming permit tcp any host connection eq www

access-list incoming permit tcp any host connection eq https

access-list incoming permit tcp any host connection eq 8000

with the Static looking like:

static (inside,outside) TCP aaa.bbb.ccc.ddd 8000 172.16.1.27 8080 netmask 255.255.255.255 0 0

static (inside,outside) TCP aaa.bbb.ccc.ddd 172.16.1.27 netmask 255.255.255.255 0 0

Apply my ACL and I will get the port forwarding as well as web traffic?

Thanks!

New Member

Re: Pix 515UR ver. 6.3(4) Port Forwarding

Gave this a try and it does not work. I can add the line:

static (inside,outside) TCP aaa.bbb.ccc.ddd 8000 172.16.1.27 8080 netmask 255.255.255.255 0 0

But when I try to add the line:

static (inside,outside) TCP aaa.bbb.ccc.ddd 172.16.1.27 netmask 255.255.255.255 0 0

I get an "Invalid Global port 172.16.1.27" error.

Can anyone tell me what I am missing here? What I am trying to do is to have external port 8000 forward to internal port 8080, but have all other ports remain the same - from say, external port 80 to internal port 80.

Thanks,

Kevin

New Member

Re: Pix 515UR ver. 6.3(4) Port Forwarding

The first static is corrct, but the second is wrong. It would be:

static (inside, outside) aaa.bbb.ccc.ddd 172.16.1.27 netmask 255.255.255.255 0 0

(Dropped the TCP in it). Tha tells the PIX to route all traffic to the inside host, but the first static with the port redirection will take precidence.

--Gavin Budd

New Member

Re: Pix 515UR ver. 6.3(4) Port Forwarding

I might be wrong (and please correct me) but you cannot just drop tcp in it. if you use port redirection on a given address e.g. .27 in this case, you have add other entries in the same format (port redirection) even if the the ports remain the same.

in this case it would be:

static (inside, outside) tcp aaa.bbb.ccc.ddd 80 172.16.1.27 80

static (inside, outside) aaa.bbb.ccc.ddd 25 172.16.1.27 25

you will get an error message if you do not do that.

you can still use a simple static mapping (without ports) for other ip addresses from the public pool if you have one.

e.g

static (inside, outside) aaa.bbb.ccc.xxx 172.16.1.100

Rafal

New Member

Re: Pix 515UR ver. 6.3(4) Port Forwarding

Would that explain why I get a:

WARNING: mapped-address conflict with existing static

tcp from inside:172.16.1.27/8080 to outside:aaa.bbb.ccc.ddd/8000 netmask 255.255.255.255

So what exactly does that mean? Also, if I do add other entries in the same format, do I not want to include the TCP in the static line?

Thanks,

Kevin

New Member

Re: Pix 515UR ver. 6.3(4) Port Forwarding

yes, it looks like you are trying to configure a static PAT (with ports) when the static NAT (without ports) alrady exists.

Why don't you want to include TCP in other entries? remember that you control access from the outside with an access-list and you include only ports in the static translation that you need.

To sum it up: for the a given address pair you can have either a single static NAT entry (without ports) or multiple static PAT entries for all the ports you want to use. But not both

For other pairs you can use still use NAT or PAT

Rafal

122
Views
0
Helpful
7
Replies
CreatePlease to create content