quick question concerning PIX Global command

[geranimo666]

Hello all-

Can someone please translate for me what this exact statement mean in my PIX configuration

on PIX 515

global (outside) 1 198.X.X.3

I know it relates to the outside interface on the pix but if the outside (eth0) interface is 198.x.x.2.. then what does this global command allow for .3?

Can't seem to make sense of it
any info would be awesome

thanks
geranimo

 

[brianinms]

That is part of the nat statement ... such as its made of a global and a nat

global (outside) 1 198.X.X.3
nat (inside) 1 x.x.x.x x.x.x.x

Notice the 1 means they are paired.

 

[geranimo666]

Ah yes! gotcha-

So is there anyway I can write this particular command out..

I want to have 3 pc's outside our network (another company) access 2 of my (inside) pc's using vnc (prot 5800-5900) all I've been able to do is do a static(inside, outside) and an access-list as a one to one.. meaning that I can't overlap or tell the pix to allow me to have 3 outside pc's vnc to more than one machine (the static(inside, outside) rule won't allow more than 1 outside pc to 1 inside pc).. if I apply it to more that one pc, it tells me there is a static overlap.. is there anyway around this?

thanks again,

Brianinms

 

[brianinms]

How many outside Ip addresses do you have? Your only limitation is that you can only forward the same external port per IP address to 1 internal machine. VNC isn't secure anyways, so you have them vpn and then launch vnc.

 

[geranimo666]

Brianims,

Is there anyway around that? based on my scenario or solution needed above?

Perhaps an extended access-list or something?


Eitherway, thanks

geranimo

 

[brianinms]

Well if you only have one external ip to use for VNC you could change the external port they connect to.