Solved

Cisco Pix 506E. e0 is dynamically assigned.

Posted on 2004-10-07
10
404 Views
Last Modified: 2013-11-16
In one of my remote offices, I have a PIX 506E Firewall. It currently runs PAT for my internal nodes and it works fine. I have also set up a VPN tunnel between my remote office and my Corporate office. However, the ISP in the remote office does not offer any static IP addresses. Therefore e0 is dynamically assigned.

However, in the branch office, I need to be able to access resources behind this firewall from an external location.

With my Pix at my Corporate office I do a static one-to-one translation and allow the necessary port number through an access-list and this allows me access to my  resources behind the firewall.

I guess my question is:

Is there anything I can do to access my internal resources on the firewall at my remote office or am I SOL?

Thanks,

Showstopper
0
Comment
Question by:showstopper1970
  • 5
  • 3
  • 2
10 Comments
 
LVL 2

Assisted Solution

by:parbul
parbul earned 200 total points
ID: 12254945
Hi.

You can used  port forwarding instead static nat,  port forwarding is  like static nat  but in port forwarding you only match specific port and in static nat you match all the port to one ip.

If the eth0 use a dinamic address you can put the interface word insted a ip:

static (inside, outside) tcp interface 80  internal_ip  80

In this example you  match de port 80 to a internal  ip  and you can use de interface and it is sustituded for the current ip.

Algo you need a dinamic dns  like  www.no-ip.com  and install that in a internal pc  

Greetings
0
 

Author Comment

by:showstopper1970
ID: 12259295
Ok, so for example if I wanted port 80 to be forwarded to an internal server i.e 192.168.50.2 I would add the following line?

static (inside, outside) tcp e0 80 192.168.50.2 80

Please let me know if this is the proper syntax... Thanks in advance.

Showstopper
0
 
LVL 2

Expert Comment

by:parbul
ID: 12261979
Hi..

Not,  you need put :

static (inside, outside) tcp interface 80 192.168.50.2 80

Yes, you need put the word  "interface" , the pix know what the interface is sustituded for  outside  and otside is eth0 and inside is  eth1  by default.

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12265884
..and of course the access list that allows port 80 to talk to the external address.
0
 

Author Comment

by:showstopper1970
ID: 12290746
Can you give me an example of how the access list would look like?

Would this be right?

access list inbound permit tcp any host interface eq www
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Expert Comment

by:parbul
ID: 12292101
Yes  

access list inbound permit tcp any host interface eq www     is okay

and not forget  the access-group   to  aply a outside interface:

access-group inbound in interface outside
0
 

Author Comment

by:showstopper1970
ID: 12299190
Ok... The first command -- static (inside, outside) tcp interface 80 192.168.50.2 80  - Works

The second command -- access-list inbound permit tcp any host interface eq www --- Returns the following error: ERROR: invalid IP address interface

Any thoughts?

0
 

Author Comment

by:showstopper1970
ID: 12299425
In addition to my note above .... I put in:

access-list inbound permit tcp any host xx.xx.xx.xx eq www  (Where xx is the dynamically assigned IP address) and it works !!!

However, since this address is dynamic it will change leaving me without access to my internal network in the near future?

Can somebody suggest an alternative?
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 300 total points
ID: 12300415
You should have a rough idea of what your ISP's DHCP range is, so just allow access for that whole network -

eg - access-list inbound permit tcp any 195.54.0.0 255.255.0.0 eq www
0
 

Author Comment

by:showstopper1970
ID: 12302303
Thanks guys.. I am going to split the points.  Your tips helped me to get this operational.

0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Quality settings for cisco routers 8 53
access vs trunk with voice vlan 2 20
Connecting to CISCO 4402 WLC 3 9
switch design question 6 2
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now