PIX 525 Port forwarding

Guys i'm in need of a little PIX help. I don't work with these very much and I need some help setting up port forwarding (I think Static PAT is what i'm needing)

I have one public IP (68.123.45.10/25 - slightly sanitized) that I want to assign to the outside interface and also use to perform PAT for an FTP server. I've assigned 192.168.50.225/24 to the inside interface of the PIX and need to map FTP from the outside to the inside. The FTP server sits on the 192.168.50.0/24 network as 192.168.50.101.

Anyone have some configs to share for this type of NAT/PAT deployment? I've been screwing around with it and haven't been able to get it going.

So far I have

global (outside) 1 68.123.45.10
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 68.123.45.10 ftp 192.168.50.101 ftp netmask 255.255.255.255
static (inside,outside) tcp 68.123.45.10 ftp-data 192.168.50.101 ftp-data netmask 255.255.255.255
access-list 100 extended permit ip any any
access-group 100 in interface outside
access-group 100 out interface outside
access-group 100 in interface inside
access-group 100 out interface inside

But no FTP access from the public side (I verified FTP is working on the private IP)

Find more posts tagged with

Comments

instant000

EDIT: I saw that "permit ip any any" in there, that looks a bit horribly insecure ....could you possibly tighten that up?

Note: Be careful when you implement these commands. If either the conduit permit ip any any or access-list 101 permit ip any any command is implemented, any host on the untrusted network can access any host on the trusted network using IP as long as there is an active translation.

An additional troubleshooting tip from that same article: (has worked for me in the past):

If you use ICMP pings to test a configured translation, the pings are likely to fail and make it seem as though the translation is not working. By default, the PIX blocks ICMP messages from lower security interfaces to higher security interfaces. This occurs even if the echo-reply is in response to a ping initiated from the inside. As a result, be sure to use another method, like Telnet, to verify your configuration.

After you make any changes to translation rules on the PIX it is strongly encouraged that the clear xlate command be issued. This ensures that any old translations do not interfere with newly configured ones and cause them to operate incorrectly.

After you configure or change static translations between servers on the inside or DMZ and the outside, it might be necessary to clear the ARP cache of the gateway router or other next-hop device.

Sup homie, I'm from the SIP also! (At least, originally.)

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic7

If the 525 is in the 6 and lower series of PIX (I think it is, I last remember working on a 515 that ran 6 series) ...
(it specifically shows how to allow untrusted hosts access to your trusted stuff)

Look at the diagram/configuration about halfway down the page, related to this:
Using nat, global, static, conduit, and access-list Commands and Port Redirection(Forwarding) on PIX [Cisco PIX 500 Series Security Appliances] - Cisco Systems

If you ran the newer version 7 series, this guide is specifically for FTP

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml

vinbuck

"EDIT: I saw that "permit ip any any" in there, that looks a bit horribly insecure ....could you possibly tighten that up?"

I'm going to put normal ACL statements in that restrict traffic to SSH and FTP and maybe a few other services once NAT is working the way it should. I just don't like fighting multiple battles when i'm working with something i'm not very familiar with.
Thanks...I'll look at those suggestions. I'm actually running 8.0 (upgraded from 6.3)

P.S. Where ya from in the SIP?

millworx

would help if you posted the complete config.

Do you have a route to the outside?

eg "route outside 0.0.0.0 0.0.0.0 68.123.45.1 1"