Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PIX 501 Port forwarding

from [Bozovic, Milos] Network Security [Permanent Link]
Subject: RE: PIX 501 Port forwarding
Date: Wed, 16 Mar 2005 22:29:13 +0100 
Actually no.

X.X.X.X - your WAN (interface) ip
x.x.x.x - internal host ip

You need to enter three commands:

access-list inmap permit tcp any host X.X.X.X eq 3389

--- allow port access thru pix (example for terminal server (RDP)- 3389)

access-group inmap in interface outside

--- bind access list to interface

static (inside,outside) tcp interface 3389 x.x.x.x 3389 netmask
255.255.255.255 0 0

--- be aware that this is one line command; it was wrapped by my mail
client
--- this is the actual static mapping from outside ip to internal ip
--- you can have multiple static commands for various ports ie. smtp,
ssh,  --- https, ...
--- you need separate access-list for each static mapping 

these commands are taken from the actual configuration, you can consult
the  pix command line help for general command description (command ?
--- ie. access-list ?)

I have couple of PIX firewalls, all working very nice with multiple
static mappings ...


With regards,
Milos




-----Original Message-----
From: Brett [mailto:bretticus@gmail.com] 
Sent: Wednesday, March 16, 2005 5:06 PM
To: firewalls@securityfocus.com
Subject: PIX 501 Port forwarding

Hi,

I have a client who has installed a PIX 501. The client was given just
one ip address which has been configuered as the outside interface.
The end result is they want to forward http traffic to a Web server
within. PAT is configured via:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

The problem is that it appears one cannot static the outside interface
to a local address (I assume this is true from the config examples I
have seen on the Web.) I have also witnessed my ssh connection drop
when I try ;-) On a cheap Linksys (etc.) this is trivial. Do I really
need two routable ip addresses so that one can be the outside
interface on the PIX and the other ip map to an inside address?

Thanks!

------------------------------------------------------------------------
--
FREE Download - The Future in Desktop Firewalls is Available Now
 
NEW NetOp Desktop Firewall, the world's first driver-centric 
firewall software - protecting your laptops and corporate PCs at  
ring-zero! NetOp features sophisticated process & application
control, centralized management and multiple network user profiles -
NetOp is able to increase security when mobile users plug back 
into your network. Step into a more secure future - Try it FREE
http://www.securityfocus.com/sponsor/CrossTec_firewalls_050315
------------------------------------------------------------------------
--


--------------------------------------------------------------------------
FREE Download - The Future in Desktop Firewalls is Available Now
 
NEW NetOp Desktop Firewall, the world's first driver-centric 
firewall software - protecting your laptops and corporate PCs at  
ring-zero! NetOp features sophisticated process & application
control, centralized management and multiple network user profiles -
NetOp is able to increase security when mobile users plug back 
into your network. Step into a more secure future - Try it FREE
http://www.securityfocus.com/sponsor/CrossTec_firewalls_050315
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Can a VPN tunnel be built between a Cisco device and a Netscreen 50?, Nay, Eric
Next by Date:  Re: PIX 501 Port forwarding, Matt Ostiguy
Previous by Thread:  RE: PIX 501 Port forwarding, Brad Davenport
Next by Thread:  Operation Security Analysts, Paul Ryan
Indexes:  [Date] [Thread] [Top] [All Lists]