NAT on Cisco Pix?

pwjohnston · May 2008

So I have a pix at home I bought off ebay to help with my ccna when I finally get around to it. I set it up on my network, gave all my devices static IPs and everything seemed to work fine. Web pages, FTP to my web server, intranet file sharing, but I have a program that uses NAT that will establish an inbound connection but not an outbound connection. It’s defiantly the PIX because when I remove it, the program works fine.

Info:

Pix 501
IOS v6.3
PDM V2

Router IP: 192.168.1.1

PC IP: 192.168.1.75

Using port 55555

One website says:
In IOS, port forwarding is called 'static NAT mapping'. To generate this mapping, the following syntax will do:

router#configure terminal
router(config)#ip nat inside source static tcp <inside IP address> 6881 interface <outside interface> 6881

With my network info I try:

router#configure terminal
router(config)#ip nat inside source static tcp 192.168.1.75 55555 interface 192.168.1.1 55555

And then goes on to say
For UDP, replace the 'tcp' keyword with the keyword 'udp'. The rest stays the same.
An example:
ip nat inside source static tcp 10.0.0.10 6881 interface FastEthernet0 6881
ip nat inside source static udp 10.0.0.10 6881 interface FastEthernet0 6881

So I tried all that and I still cannot establish a NAT connection.

Any thoughts?

hypnotoad · May 2008

source IP and destination are probably not both port 55555

What if you set the source port to anything > 1023 ?

Ahriakin · May 2008

The PIX doesn't run IOS though (It runs FOS, the "Finesse Operating System") and while some of the commands in the latest software can be similar often there are differences in syntax. Also you don't need a PIX at all for the CCNA, in fact trying to learn it might be a hindrance especially since you're on 6.3 and it's VERY different to IOS.

Anyway - I'm presuming you just have one IP so you will need to use Static PAT (Where you use the destination port from the outside to decide the destination IP (and port if needed) on the Inside. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#t10

Matt2000 · May 2008

First, I don't see why you would need the PIX for the CCNA. There are pretty much NO questions or sims dealing with this information.

Second, PIX are end of life. You would be better off re-selling the PIX on eBay and buying an ASA 5510 or higher. Make sure that you get IOS 7.2 or higher; this will ensure that your time is not wasted on outdated material no longer tested.

While the commands might be the same, there are subtle differences. I just took / passed 642-523 (SNPA) and NOTHING related to PIX since they are end of life.

As far as your issues, you can find a ton of information:

www.cisco.com/UNIVERCD

JDMurray · May 2008

Ahriakin wrote:

The PIX doesn't run IOS though (It runs FOS, the "Finesse Operating System") and while some of the commands in the latest software can be similar often there are differences in syntax.

Is it just me, or is FOS easier to use than IOS? I learned on a PIX 501 before I ever saw IOS. When I actually got around to taking a router class, I kept having problems and asking myself, "Why isn't IOS easier to use like on a PIX?" FOS seems more intuitive for the workflow needed to program a device than IOS is, and that screwed me up a little learning FOS first.

Ahriakin · May 2008

Yeah personally I prefer the flow on FOS. IOS seems like a lot of folks with very different approaches were involved in each functional area. Simple things like being able to run all Priv-Exec mode commands anywhere on FOS (so you can quickly check existing rules etc. as you make modifications) make it so much easier to use, I know they added "do.." to Configure T mode on IOS a while back but it's still one extra typo waiting to slow you down.

pwjohnston · May 2008

nl wrote:

source IP and destination are probably not both port 55555

What if you set the source port to anything > 1023 ?

Well that might be a problem because I don' know what port their using. I thought I just had to get the NAT signal through the router and it would be good because I don't have to set a destination port in the software.

pwjohnston · May 2008

Matt2000 wrote:

First, I don't see why you would need the PIX for the CCNA. There are pretty much NO questions or sims dealing with this information.

Second, PIX are end of life. You would be better off re-selling the PIX on eBay and buying an ASA 5510 or higher. Make sure that you get IOS 7.2 or higher; this will ensure that your time is not wasted on outdated material no longer tested.

While the commands might be the same, there are subtle differences. I just took / passed 642-523 (SNPA) and NOTHING related to PIX since they are end of life.

As far as your issues, you can find a ton of information:

www.cisco.com/UNIVERCD

Hurm, well that sux. I have very little Cisco experience so that's why. >;)

Basically I thought Cisco IOS was like linux, once you get the general gist of the command line and how it works slight variances in the syntax would be irrelevant or easily compensated for.

Is there a model that is reasonable, under 200 bucks used, that does wireless and I could use for playing around with the IOS when I get around to trying the CCNA(probably in 3 to 6 mo)?

Ahriakin · May 2008

Get GNS3 (Full package incl. Dynagen/Dynamips) it's a full Cisco router emulator, it runs real IOS images (which you have to provide yourself) so it is for all intents and purposes the real-thing...minus the actual interfaces as these are all virtual (but you can map them to INTs on the host pc if you need outside connectivity). It's a superb tool and will do everything you need for the routing side of the CCNA. As for Wifi you can always get a cheap 2nd hand Aironet if you really feel the need for hands on with it.

pwjohnston · May 2008

Ahriakin wrote:

Get GNS3 (Full package incl. Dynagen/Dynamips) it's a full Cisco router emulator, it runs real IOS images (which you have to provide yourself) so it is for all intents and purposes the real-thing...minus the actual interfaces as these are all virtual (but you can map them to INTs on the host pc if you need outside connectivity). It's a superb tool and will do everything you need for the routing side of the CCNA. As for Wifi you can always get a cheap 2nd hand Aironet if you really feel the need for hands on with it.

Thanks I'll check that out. As far as the wireless, I was just thinking if I could get something I could use at home it would help familiarize me with the IOS.

Ahriakin · May 2008

I use a 2nd hand Aironet 1100 for the home wireless and occasional study, it's grand. Picked it up 2 years back for !$200 so they're probably a lot cheaper now.

NAT on Cisco Pix?

Comments