Opening ports on a Cisco pix 501?
- Thread starter quackers
- Start date
http://www.datastronghold.com/articles/PixConfigurationGuide.html
Configuration guide. Should tell you everything you need to know.
Configuration guide. Should tell you everything you need to know.
Associate
- Joined
- 26 Oct 2002
- Posts
- 1,714
quackers said:Come on then, spill the beans
Those links dont appear to be working either
Ok try looking through these two first then coming back with any bits you don't understand.
RDP through a PIX
PIX command reference
or post up your config (minus the passwords), along with what your trying to do and I'll see what I can do
Gah! Links died. There are configuration guides on cisco.com though.
Basically, you will need to allow the necessary ports through the access list on the outside interface, and then do a static nat or a port-redirection to the server in question.
So, for example, say you only have one IP address with your provider, and that is also the IP address of the outside of the pix, you would have to configure port redirection. Example for a web server:
access-list outside_access_in line 1 permit tcp any host 80.80.80.80 eq 80 - This allows port 80 access when destined for the 80.80.80.80 address.
You then need to do a translation that would allow the traffic to pass through the firewall and hit the server. Assuming the private address of the server is 192.168.1.2 and that the two interfaces are named "inside" and "outside" you would configure the following:
static (inside,outside) tcp 80.80.80.80 www 192.168.1.2 www netmask 255.255.255.255
This creates a static translation on port 80. Without more information on the setup and intention of this change, i cant really say anything else.
You can also do this from the GUI, which might be easier for you.
Basically, you will need to allow the necessary ports through the access list on the outside interface, and then do a static nat or a port-redirection to the server in question.
So, for example, say you only have one IP address with your provider, and that is also the IP address of the outside of the pix, you would have to configure port redirection. Example for a web server:
access-list outside_access_in line 1 permit tcp any host 80.80.80.80 eq 80 - This allows port 80 access when destined for the 80.80.80.80 address.
You then need to do a translation that would allow the traffic to pass through the firewall and hit the server. Assuming the private address of the server is 192.168.1.2 and that the two interfaces are named "inside" and "outside" you would configure the following:
static (inside,outside) tcp 80.80.80.80 www 192.168.1.2 www netmask 255.255.255.255
This creates a static translation on port 80. Without more information on the setup and intention of this change, i cant really say anything else.
You can also do this from the GUI, which might be easier for you.
No probs. If it isnt working you can always use "debug packet" to find out why.
debug packet outside dst 80.80.80.80 proto tcp dport 80
If you see nothing, chances are the static translation is wrong as the firewall isnt proxy arping for that address.
debug packet outside dst 80.80.80.80 proto tcp dport 80
If you see nothing, chances are the static translation is wrong as the firewall isnt proxy arping for that address.