PIX question 1

[imbadatthis]

Reading up on this stuff through CISCO docs:

the docs say below allows outside / unknown hosts to access hosts inside your network :

static (inside, outside) 172.18.124.99 10.200.1.254
access-list 101 permit tcp host 199.199.199.24 host 175.1.1.254 eq ftp
access-group 101 in interface outside

and

sys below is used for port forwarding.

static (inside, outside) tcp 172.18.124.99 ftp 10.1.1.3 ftp netmask 255.255.255.255 0 0

Isn't port forwarding the same thing as allowing outside sources accessing inside services via a specific port?

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[njjimbo]

Both options would require an access-list entry to permit traffic to the outside IP address used by the static entry. The first option,

static (inside,outside) <public ip>, <private ip>

sets up a one to one NAT. This maps all ports in both directions. The second option,

static (inside,outside0 <tcp|udp> <public ip> <port> <private ip> <port>

sets up a PAT for a single port. You could re-use multiple ports on the same public IP to point to different inside resources. If, for example, you had to run a webserver on ports 80 and 443, and mail services on 25, 110, and 143 and you had only 1 public IP assigned, you could PAT them to different servers.

When not using a full one to one NAT you can't use the 'dns' keyword to have the ASA translate outside IPs to inside IPs in DNS replies.