Solved

Cisco Pix 506E. e0 is dynamically assigned.

Posted on 2004-10-07
10
429 Views
Last Modified: 2013-11-16
In one of my remote offices, I have a PIX 506E Firewall. It currently runs PAT for my internal nodes and it works fine. I have also set up a VPN tunnel between my remote office and my Corporate office. However, the ISP in the remote office does not offer any static IP addresses. Therefore e0 is dynamically assigned.

However, in the branch office, I need to be able to access resources behind this firewall from an external location.

With my Pix at my Corporate office I do a static one-to-one translation and allow the necessary port number through an access-list and this allows me access to my  resources behind the firewall.

I guess my question is:

Is there anything I can do to access my internal resources on the firewall at my remote office or am I SOL?

Thanks,

Showstopper
0
Comment
Question by:showstopper1970
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 2

Assisted Solution

by:parbul
parbul earned 200 total points
ID: 12254945
Hi.

You can used  port forwarding instead static nat,  port forwarding is  like static nat  but in port forwarding you only match specific port and in static nat you match all the port to one ip.

If the eth0 use a dinamic address you can put the interface word insted a ip:

static (inside, outside) tcp interface 80  internal_ip  80

In this example you  match de port 80 to a internal  ip  and you can use de interface and it is sustituded for the current ip.

Algo you need a dinamic dns  like  www.no-ip.com  and install that in a internal pc  

Greetings
0
 

Author Comment

by:showstopper1970
ID: 12259295
Ok, so for example if I wanted port 80 to be forwarded to an internal server i.e 192.168.50.2 I would add the following line?

static (inside, outside) tcp e0 80 192.168.50.2 80

Please let me know if this is the proper syntax... Thanks in advance.

Showstopper
0
 
LVL 2

Expert Comment

by:parbul
ID: 12261979
Hi..

Not,  you need put :

static (inside, outside) tcp interface 80 192.168.50.2 80

Yes, you need put the word  "interface" , the pix know what the interface is sustituded for  outside  and otside is eth0 and inside is  eth1  by default.

0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 12265884
..and of course the access list that allows port 80 to talk to the external address.
0
 

Author Comment

by:showstopper1970
ID: 12290746
Can you give me an example of how the access list would look like?

Would this be right?

access list inbound permit tcp any host interface eq www
0
 
LVL 2

Expert Comment

by:parbul
ID: 12292101
Yes  

access list inbound permit tcp any host interface eq www     is okay

and not forget  the access-group   to  aply a outside interface:

access-group inbound in interface outside
0
 

Author Comment

by:showstopper1970
ID: 12299190
Ok... The first command -- static (inside, outside) tcp interface 80 192.168.50.2 80  - Works

The second command -- access-list inbound permit tcp any host interface eq www --- Returns the following error: ERROR: invalid IP address interface

Any thoughts?

0
 

Author Comment

by:showstopper1970
ID: 12299425
In addition to my note above .... I put in:

access-list inbound permit tcp any host xx.xx.xx.xx eq www  (Where xx is the dynamically assigned IP address) and it works !!!

However, since this address is dynamic it will change leaving me without access to my internal network in the near future?

Can somebody suggest an alternative?
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 300 total points
ID: 12300415
You should have a rough idea of what your ISP's DHCP range is, so just allow access for that whole network -

eg - access-list inbound permit tcp any 195.54.0.0 255.255.0.0 eq www
0
 

Author Comment

by:showstopper1970
ID: 12302303
Thanks guys.. I am going to split the points.  Your tips helped me to get this operational.

0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question