re: pix firewall config quest

[Mike Hoskins <mike () adept org>]

From: "Don Burgess" <don_burgess () hotmail com>
Date: Thu, 07 Aug 2003 00:44:20 -0700
> sorry for this being such a basic question, but i am using a PIX to
> learn, and i am trying to fingure out how to forward a port from the
> incoming interface to a internal ip..

i think you'd do that with a static and an ACL entry...

> here is the basic scenario
> pix 506e
> internal pat 192.168.1.0
> external interface address in my test setup is 10.10.1.208
> internal ip that i want to access the port of 192.168.1.10
> port that i want to access 3000

there may be a better way, but (long lines wrapped at backslash)...

! just an alias
name outsidehost 10.10.1.208
! you may want to adjust the embryonic limit (32 here)
static (inside,outside) outsidehost 192.168.1.10 \
        netmask 255.255.255.255 0 32

then in the ACL applied to your external interface (remember, packets from
an interface with a lower security level -- e.g. outside -- are not
allowed to pass to an interface with a higher security level -- e.g.
inside - by default.) you would add a rule allowing the desired traffic,

access-list 100 permit tcp any host outsidehost eq 3000

this assumes you're using ACL # 100 to control traffic flow from your
outside interface to your inside interface.  as such, you should also have
an appropriate 'access group' defined,

access-group 100 in interface outside

-mrh

--
From: "Spam Catcher" <spam-catcher () adept org>
To: spam-catcher () adept org
Do NOT send email to the address listed above or
you will be added to a blacklist!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards