Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Newbie Question - Pix 506E does not recognize static command

Status
Not open for further replies.
rustyrustynail

rustyrustynail

Technical User
Jan 29, 2009
7
GB
Hi Experts

I'm new to Pix and trying to set up a static translation to map a public IP to a private IP using the static command. I have used the enable command to get into enable mode already.

At the prompt that looks like [firewall02#] I'm entering command as it looks below

firewall02# static (inside,outside) my_public_ip my_private_ip netmask 255.255.255.255 0 0

When I enter this command and press enter, I see text saying "Type help or '?' for a list of available commands.

So my Pix is probably not recognizing the static command or this is not where/how it's supposed to be entered. Silly newbie question.

Can anyone help please?

Many thanks

Mo.
 
Sort by date Sort by votes
hello Rustyrustynail,

Code: 
firewall02> en
Password: ********
firewall02# conf t
firewall02(config)#static (inside,outside) my_public_ip my_private_ip netmask 255.255.255.255 0 0

HTH
-Viconsul
 
Upvote 0 Downvote
Thanks Viconsul, you guys do know your stuff.

I sorted it by entering configure terminal. Conf t does the same thing, I guess. And en for enable's cool too.

Another quick question if I can ask you. I've just read about the Pix Device Manager. What are your thoughts on it?

Shall I set it up on my Pix as I think it'll make management easier? Any pitfalls to avoid?

Thanks

Mo.
 
Upvote 0 Downvote
Rusty,

PDM makes management easier but you've got to have the right version of java installed on your client machine.

Rgds

Viconsul
 
Upvote 0 Downvote
Hi Viconsul and others, need help again.

I have done a static mapping from the public IP to the private IP and then set up two access list entries to allow http and https traffic in to the server on LAN. However, this is not working.

I feel this is because the pix access lists are processed in a top to bottom order and there is a deny any any access-list entry above the entries I've done to allow traffic in to my internal server. I want somebody to confirm if this is the case or provide any other helpful info please.

I have the line "access-list acl-outside deny ip any any" in my configuration. ABOVE this line I have access-list entries (created by previous admin) to allow http/https access to some servers. This works.

BELOW this line I have the access-list entries I created to allow access to my new server. This doesn't work. My access-list entries I created look like below.

access-list acl-outside permit tcp any host 85.90.xxx.xx eq www
access-list acl-outside permit tcp any host 85.90.xxx.xx eq https

The static mapping I created looks like below.

static (inside,outside) 85.90.xxx.xx 192.168.y.yy netmask 255.255.255.255 0 0

Can someone please point out why this won't work? Appreciate the help.

Thanks

Mohsin.
 
Upvote 0 Downvote
Hello Rusty,

Form your firewall prompt do a show access-list acl-outside
Code: 
firewall02#sho access-list acl-outside

This should give you the line numbers where the two acls are placed, then, you should be able to go into the global configuration mode and remove them with no access-list acl-outside line xx permit tcp any host 85.90.xxx.xx eq do the same for https. Then you can reinsert the acls at the line number before the deny any any acls. See example code below.
Code: 
firewall02(config)no access-list acl-outside line [COLOR=red]21[/color] permit tcp any host 85.90.xxx.xx eq www
firewall02(config)no access-list acl-outside line [COLOR=red]22[/color] permit tcp any host 85.90.xxx.xx eq https
Then just add the acls back at the right line you want above the deny any any ones. Example code below
Code: 
firewall02(config)access-list acl-outside line [COLOR=green]16[/color] permit tcp any host 85.90.xxx.xx eq www
firewall02(config)access-list acl-outside line [COLOR=green]17[/color] permit tcp any host 85.90.xxx.xx eq https
PS: Obviously you need to change the numbers to match your output.

Also, your static mapping should really look like this if all you want to permit is tcp traffic https.
static (inside,outside) tcp 85.90.xxx.xx 255.255.255.255 0 0
static (inside,outside) tcp 85.90.xxx.xx https 192.168.y.yy https netmask 255.255.255.255 0 0

HTH
-Viconsul
 
Upvote 0 Downvote
Brilliant answer, thanks Viconsul.

I understand the difference between my static mapping the one you suggested is that mine maps all traffic coming on the public IP to private IP and traffic is then allowed on the basis of ACLs and yours only maps the required port (ACL still required), right?

Using your way, we can map different ports on a single public IP to different private IPs.

I'll leave mine for now as we have plenty of public IPs and aren't running out soon.

Thanks.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jim_bmx
  • Locked
  • Question
sh proxy command
Replies
0
Views
591
jim_bmx
jim_bmx
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
640
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
588
intel233
intel233
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
151
brownmab53
brownmab53
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
110
xwray
xwray

Part and Inventory Search

Sponsor

Back
Top