Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

question about static 2

Status
Not open for further replies.
boymarty24

boymarty24

Technical User
Aug 21, 2003
362
SE
Hi,

Have a question about static command. If you only have one public ip and want to have external access to internal servers. My command line looks like this...


global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside, outside) tcp interface 25 192.168.1.101 25

Do I need to add access-list and access-group command as well? If yes, why. Shouldn´t the static command with the parameters work?

Someone who knows why?

 
Sort by date Sort by votes
yes you need to add an access-list (which permits the traffic to your internal server on port 25) and an access- group statement (which binds the access-list to the interface).
Unfortunately, my pix 501 running 6.2(2) won't work with a dynamically assigned public ip even though it is correctly configured to allow http, etc... to internal servers. I am disgusted that cheapy $100 broadband routers allow port redirection with 5 minutes of config time and cisco doesn't.
I am reluctant to buy a smartnet contract for $100 to find out that the latest version doesn't work either (concerning port redirection).
 
Upvote 0 Downvote
ok, thanks

But why do you need to put in the extra parameters ( tcp and smtp ) in the static command? Why can´t you do it the usual way?

Is it because of the shared outbound pat?
 
Upvote 0 Downvote
boymarty24 -

The static command you've entered is redirecting all tcp traffic with port 25 (SMTP), to the inside host 192.168.1.101 Only SMTP is getting redirected.

I'm not sure if this is what you want to do.

The only thing I see wrong with you static statement is the "25" at the very end. It's not needed.
 
Upvote 0 Downvote
The 25 at the end might not be needed, but it is correct. You can map external ports to different internal ports if you like, so the 25 at the end is just confirming that you're mapping port 25 to port 25, rather than port 25 to some other internal port.

This can be useful when trying to map through, for example, terminal services access to multiple servers when you only have one public address. You might map tcp 3389 traffic to 3389 on one server, then 3390 to 3389 on another server, 3391 to 3389 on a third server, and so you can then use terminal services to any of the 3 servers by specifying the public ip of the pix, and the mapped port number for the server you want.

Festus,

can you post your config? I'm interested to hear that you can't port map using dynamically assigned public ips, that sounds like something you should be able to do. Wouldn't mind looking into that ...

Chico



CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Aha, that explains it more.

But i am still a little confused. When I tried the same config but with the standard static command no one was enable to get out from the pix.
´
This command...

static (inside, outside) interface 192.168.1.101


But when i use the other static it worked. Why is that?

Has it anything to do with static thru PAT?

/M



 
Upvote 0 Downvote
That happens because of the xlate table (the table that keeps a log of what inside addresses and ports map to what outside addresses and ports). When someone makes a connection to an outside server, it's two way communication. So say a pc on 192.168.1.50 tries to make a connection to an external webserver, say they initiate a connection to port 80 on cisco's webserver, from whatever high number port their machine chooses. So that traffic goes out, gets to cisco's site, fine.

Cisco's site then returns an html document, and those packets come back towards your pix. They hit the outside address of the pix, which tries to determine where to pass that traffic. The problem you're finding is that static mappings take precedence over PAT translations.

So even though the traffic initiated from 192.168.1.50, the static rule you've put in your PIX says map ALL traffic destined for the outside of your PIX to 192.168.1.101

So the return traffic never gets routed back to your machine at 192.168.1.50

So the traffic does get OUT. It just doesn't come back to the machine that initiated it.

Basically your static command says route all incoming traffic to the 192.168.1.101 machine. So the PIX does what you've told it to do.

You can read about the precedence the PIX gives to static, nat and pat commands here if you're interested




CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
734
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
664
intel233
intel233
GeorgeAlba
  • Locked
  • Question
What do you think about this proxy
Replies
0
Views
220
GeorgeAlba
GeorgeAlba
NoCoolHandle
  • Locked
  • Question
TLS 1.0 vrs TLS 1.1 vrs 1.2 connection strategy question
Replies
1
Views
142
ChrisHirst
ChrisHirst
RMurr34
  • Locked
  • Question
No Internet Access if no static map
Replies
0
Views
111
RMurr34
RMurr34

Part and Inventory Search

Sponsor

Back
Top