Port fowarding with dynamic outside IP abd DMZ PIX 506e

[Bizounett]

Hi,

1) I'm looking for a way to do port fowarding from outside
dynamic ip address to a static inside ip address. I
read the command statc can co port fowarding but it
seems only for statc address.

2) Is it possible to have an inside static ip address in a
DMZ with the pix 506e.

My version is 6.3(1) and ny PDM is 3.0(1).

Thanks in advance

Bizounett

 

[Supergrrover]

1-Yes, use this

static (inside,outside) interface [internal_IP] netmask 255.255.255.255

2- inside and dmz are separate. You want to set up vlans and trunk it to a switch. From there set up your DMZ and inside networks.

static (DMZ,outside) interface [internal_IP] netmask 255.255.255.255



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Bizounett]

if my understand is OK, for the DMZ, I need to have a switch that is doing VLAN, after I create a DMZ network in the pix, called DMZ ?

I'm rigth ?

I'm a little bit lost ...

Thanks

 

[Supergrrover]

Yes.
The 506e only has 2 physical interfaces so you have to setup and use VLANs in order to have a true DMZ. So you will need a switch that can decode VLAN packets. Each port gets set to a default vlan and that's how it passes traffic to the the pix.

It is a chore to setup with the 506e.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Bizounett]

Thanks, I'll begin to install my pix with some static port fowarding. After when my understant will be better, I will check for a DMZ.

Thanks again

Bizounett

 

[Bizounett]

OK, This pix is at home for now for test. I have actualy a D-Link router, my pc is in his dmz, that's mean all the port is open for my PC, not my wife !!! I want to ne able to do this with the Pix 506e also. Then I try a lot of thing with STATIC command, access-list command and the NAT command. But I cannot have full access to all ports like my D-Link. I download and install Emule to test if the port open, and no, but with my D-Link it's working fine. I want to do this to have a better understand of the cisco. If someone have an idea it will be great. My outside address is dynamic and the inside address is 192.168.2.1. My system's IP address is 192.168.2.15.

Thanks

 

[Supergrrover]

Read this -

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080862017.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Bizounett]

Thanks Brent,

after reading, i try this on my pix 506e

static (inside, outside) interface 192.168.2.15 netmask 255.255.255.255
access-list 100 permit tcp any host 192.168.2.15
access-list 100 permit udp any host 192.168.2.15
access-group 100 in interface outside
write term
write mem
reload

After this it's not working. Also try with
access-list 100 permit tcp any host 192.168.2.15 eq 4662
access-list 100 permit udp any host 192.168.2.15 eq 4672

4662 and 4672 is my 2 ports in emule to test outsite connections. I was sure my first try will be OK. What's wrong ?

Thanks

Bizz

 

[Supergrrover]

The ACL will need to be for the interface and not the internal ip.

access-list 100 permit tcp any interface outside
access-list 100 permit udp any interface outside

You need more than 1 ip OR have only specific ports forwarded through. Otherwise all traffic will go to the 192.168.2.15 address regardless of who requested it internally.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Bizounett]

Thanks,

This work great like that. Could you check if my config is correct ?

static (inside,outside) tcp interface 4662 Rene 4662 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 4672 Rene 4672 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5901 Rene 5901 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 26153 Rene 26153 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 26153 Rene 26153 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5977 Carine 5977 netmask 255.255.255.255 0 0

access-list 100 line 1 permit udp any any
access-list 100 line 2 permit tcp any any

access-group 100 in interface outside

Thanks

Bizz

 

[Supergrrover]

That should be ok. You will want to lock it down now that you have what you want working

access-list 100 line 1 permit tcp any any eq 4662
access-list 100 line 2 permit udp any any eq 4672
access-list 100 line 3 permit tcp any any eq 5901
access-list 100 line 4 permit tcp any any eq 26153
access-list 100 line 5 permit udp any any eq 26153
access-list 100 line 6 permit tcp any any eq 5977
access-list 100 line 7 deny ip any any

That should do it.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Bizounett]

Thanks for the answer, it's work like a charm.

Small question, I don't understand what this two lines do exactly :

access-group 100 in interface outside

access-list 100 line 7 deny ip any any

Thanks

 

[Supergrrover]

access-group 100 in interface outside
this line applies the access list 100 to the outside interface so it can filter incoming traffic.

access-list 100 line 7 deny ip any any
This line allows you to see hit counts for traffic that gets dumped. Just good form really and good to use for testing.


Brent
Systems Engineer / Consultant
CCNP, CCSP