denver218
asked on
Opening ports on Cisco Pix 501
I have a Cisco Pix 501. This device does not have a static IP address on the outside interface. Its pppoe off a DSL Modem. I have a vendor who installed an application inside the network. They need to access this application from the outside. Since I don't have a block of Static IP's from the ISP, I can't NAT the private IP of this application to a public IP. The internal address of this application is 192.168.20.1. They need ports 2000. 2003, and 443 opened so they can access it from the outside. How do I do this since I don't have a public address to NAT to 192.168.20.1? Like I said the Pix recieves a public Address from the DSL modem. Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you already have an access list with another name applied, use that (like: access-list other_name permit tcp any interface outside eq 443).
Otherwise you can apply this one (access-group outside in interface outside).
Assuming of course your interfaces are named inside and outside :)
Otherwise you can apply this one (access-group outside in interface outside).
Assuming of course your interfaces are named inside and outside :)
I only know of one way I think will work, and that is to require a remote-access VPN connection to the PIX. Then internal resources should be accessible. I don't believe straight static NAT will work because while you can NAT internal traffic going out to the external interface, I don't believe there's a way of saying "NAT traffic arriving on the outside interface on port 2000 to internal address x.x.x.x". The syntax of the static NAT command requires that you specify the external IP address.
I would suggest trying the VPN approach, and if you use something like dynamic DNS, you can VPN to a hostname that gets updated when your dynamic address changes. I use DirectUpdate at home but I'm sure there are other products that would work. And it works well. I registered for a free username on an existing free domain name (I did not pay to register my own domain) and I can VPN to my personal domain name without any knowledge of what the public IP address is.
I would suggest trying the VPN approach, and if you use something like dynamic DNS, you can VPN to a hostname that gets updated when your dynamic address changes. I use DirectUpdate at home but I'm sure there are other products that would work. And it works well. I registered for a free username on an existing free domain name (I did not pay to register my own domain) and I can VPN to my personal domain name without any knowledge of what the public IP address is.
The syntax of the static NAT command requires that you specify the external IP address
But that is what we're doing here, aren't we? We use the external ip of the outside interface.
But that is what we're doing here, aren't we? We use the external ip of the outside interface.
ASKER
Thanks. That worked great. I appreciate your help.
You're welcome, glad I could help :)
Thx for the points.
Thx for the points.
ASKER