|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
Jack
Guest
|
 Posted: Thu Jun 28, 2007 4:50 am Post subject: PIX 501 |
 |
|
Our PIX 6.2 has a very strange behavior after I add static (inside,outside)
outside_IP inside_IP netmask 255.255.255.255 0 0
What happen is that after adding I can RDP from outside to this local IP. I
can cannect to Internet form this local IP: however, all other local IPs are
no longer can go to Internet. I can't even ping from the PIX to any IP
outside. As soon as I remove the line everything works just fine. Any
advise? I'm I missing something? Or this is a problem?
Thanks in advance,
Jack |
|
| Back to top |
|
 |
|
|
Walter Roberson
Guest
|
| Posted: Tue Jul 03, 2007 3:47 am Post subject: Re: PIX 501 |
|
|
In article <CqudnRMIQvOo1xTbnZ2dnUVZ_gadnZ2d@speakeasy.net>,
Jack <jackm@iigservices.com> top-posted:
| Quote: | I add the way you suggested and seems like it is working fine. However, my
concern is we have other PIX in production and all the static entries are
the same as I posted earlier.
|
[i.e., IP to IP with no port]
| Quote: | But as long as this is working I'm fine with this. So do you think I can put
this in production by adding only static (inside,outside) tcp interface 3389
inside_IP 3389 netmask 255.255.255.255 0 0
for RDP
|
The form
static (inside,outside) OUTSIDEIP INSIDEIP netmask 255.255.255.255
is used when OUTSIDEIP is a public IP that is -not- the interface IP,
and -all- of OUTSIDEIP is to be statically translated to INSIDEIP
(with permission to access individual ports then determined by the
access-group applied to the outside interface.) This command cannot,
however, be used if OUTSIDEIP is the PIX/ASA outside inteface itself,
because some ports are reserved for use in talking to the PIX/ASA itself.
The form
static (inside,outside) tcp OUTSIDEIP OUTSIDEPORT INSIDEIP INSIDEPORT netmask 255.255.255.255
is fairly similar, but it only reserves the one tcp port OUTSIDEPORT
on the IP address OUTSIDEIP, through to the given inside IP and port.
You could have additional static tcp commands with the same outside IP
address and the same or different inside IP addresses. For example, you
could have a single public IP for which port 25 connected to your inside
mail server and port 80 connected to your inside WWW server.
Because only individual ports are reserved in this form, you can
forward for the PIX/ASA outside interface IP itself if you want, as long as
you don't hit one of the two reserved TCP ports that are for talking to
the PIX/ASA itself. With the PIX, if you are forwarding for the outside IP,
you use the special keyword 'interface' instead of the IP itself. I'm
not as familiar with the ASA; I've seen contradictory material about
whether to use 'interface' or the actual outside IP for the ASA.
(You're using a PIX now, but someday you may be using an ASA... and others
reading this might be using an ASA.) |
|
| Back to top |
|
|
Jack
Guest
|
| Posted: Wed Jul 04, 2007 7:02 am Post subject: Re: PIX 501 |
|
|
Thank you very much,
Walter.
I learn a lot from your respond.
"Walter Roberson" <roberson@hushmail.com> wrote in message
news:3gfii.80711$NV3.19677@pd7urf2no...
| Quote: | In article <CqudnRMIQvOo1xTbnZ2dnUVZ_gadnZ2d@speakeasy.net>,
Jack <jackm@iigservices.com> top-posted:
I add the way you suggested and seems like it is working fine. However, my
concern is we have other PIX in production and all the static entries are
the same as I posted earlier.
[i.e., IP to IP with no port]
But as long as this is working I'm fine with this. So do you think I can
put
this in production by adding only static (inside,outside) tcp interface
3389
inside_IP 3389 netmask 255.255.255.255 0 0
for RDP
The form
static (inside,outside) OUTSIDEIP INSIDEIP netmask 255.255.255.255
is used when OUTSIDEIP is a public IP that is -not- the interface IP,
and -all- of OUTSIDEIP is to be statically translated to INSIDEIP
(with permission to access individual ports then determined by the
access-group applied to the outside interface.) This command cannot,
however, be used if OUTSIDEIP is the PIX/ASA outside inteface itself,
because some ports are reserved for use in talking to the PIX/ASA itself.
The form
static (inside,outside) tcp OUTSIDEIP OUTSIDEPORT INSIDEIP INSIDEPORT
netmask 255.255.255.255
is fairly similar, but it only reserves the one tcp port OUTSIDEPORT
on the IP address OUTSIDEIP, through to the given inside IP and port.
You could have additional static tcp commands with the same outside IP
address and the same or different inside IP addresses. For example, you
could have a single public IP for which port 25 connected to your inside
mail server and port 80 connected to your inside WWW server.
Because only individual ports are reserved in this form, you can
forward for the PIX/ASA outside interface IP itself if you want, as long
as
you don't hit one of the two reserved TCP ports that are for talking to
the PIX/ASA itself. With the PIX, if you are forwarding for the outside
IP,
you use the special keyword 'interface' instead of the IP itself. I'm
not as familiar with the ASA; I've seen contradictory material about
whether to use 'interface' or the actual outside IP for the ASA.
(You're using a PIX now, but someday you may be using an ASA... and others
reading this might be using an ASA.) |
|
|
| Back to top |
|
|
|
|
