Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Troubleshooting
Research
Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

PIX-515e - Port Translation

Avatar of j_dyer
j_dyer asked on
Software Firewalls
16 Comments1 Solution691 ViewsLast Modified:
I'm certainly not an expert on Cisco kit, which is why I'm asking this question here.
Basically, on a PIX-515, I have this config (various parts snipped for brevity, and ip numbers changed
to protected the innocent).

nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
name 192.168.0.1 Fw-PIX-Outside
name 10.0.0.1 Fw-PIX-Inside
name 10.0.0.2 Protected-1a
name 10.0.0.3 Protected-1b
ip address outside Fw-PIX-Outside 255.255.255.0
ip address inside Fw-PIX-Inside 255.255.255.0
static (inside,outside) Protected-1a Protected-1a netmask 255.255.255.255 0 0
static (inside,outside) Protected-1b Protected-1b netmask 255.255.255.255 0 0
access-list ACL-IN permit tcp any host Protected-1a eq https
access-list ACL-IN permit tcp any host Protected-1b eq 5223
access-list ACL-IN permit tcp any host Protected-1b eq https
access-list ACL-IN permit tcp any host Protected-1b eq 22

Hopefully, the snips are obvious.
All IP addresses used on this router are publicly routable.

Now, what I want to do is basically rewrite connections coming into the firewall, for Protected-1a, on port
443, to port 5223.

I *think* that what I need to do is this:
no static (inside,outside) Protected-1a Protected-1a netmask 255.255.255.255 0 0
no static (inside,outside) Protected-1b Protected-1b netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-1a 443 Protected-1a 5223 netmask 255.255.255.255
static (inside,outside) Protected-1a Protected-1a netmask 255.255.255.255 0.0
static (inside,outside) Protected-1b Protected-1b netmask 255.255.255.255 0.0]

I think I need to start with the 'no static' lines to prevent overlapping, but I'm not 100% sure
of that (this just needs to work first time).

Since this is a live system, I'm relucant to just try the above, without some other opinions from some more
'clued-up on Cisco' people.

So, what do I have to do to get the port forwarding to work? I'm especially wondering if I need to
add another access line in of the form:
access-list ACL-IN permit tcp any host Protected-1a eq 5223

Thanks in advance,

James
ASKER CERTIFIED SOLUTION
Avatar of Tim Holman
Tim HolmanFlag of United Kingdom of Great Britain and Northern Ireland imageCEO

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Commented:
This problem has been solved!
Unlock 1 Answer and 16 Comments.
See Answers