Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco Pix 506E. e0 is dynamically assigned.

Posted on 2004-10-07
10
Medium Priority
?
439 Views
Last Modified: 2013-11-16
In one of my remote offices, I have a PIX 506E Firewall. It currently runs PAT for my internal nodes and it works fine. I have also set up a VPN tunnel between my remote office and my Corporate office. However, the ISP in the remote office does not offer any static IP addresses. Therefore e0 is dynamically assigned.

However, in the branch office, I need to be able to access resources behind this firewall from an external location.

With my Pix at my Corporate office I do a static one-to-one translation and allow the necessary port number through an access-list and this allows me access to my  resources behind the firewall.

I guess my question is:

Is there anything I can do to access my internal resources on the firewall at my remote office or am I SOL?

Thanks,

Showstopper
0
Comment
Question by:showstopper1970
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 2

Assisted Solution

by:parbul
parbul earned 800 total points
ID: 12254945
Hi.

You can used  port forwarding instead static nat,  port forwarding is  like static nat  but in port forwarding you only match specific port and in static nat you match all the port to one ip.

If the eth0 use a dinamic address you can put the interface word insted a ip:

static (inside, outside) tcp interface 80  internal_ip  80

In this example you  match de port 80 to a internal  ip  and you can use de interface and it is sustituded for the current ip.

Algo you need a dinamic dns  like  www.no-ip.com  and install that in a internal pc  

Greetings
0
 

Author Comment

by:showstopper1970
ID: 12259295
Ok, so for example if I wanted port 80 to be forwarded to an internal server i.e 192.168.50.2 I would add the following line?

static (inside, outside) tcp e0 80 192.168.50.2 80

Please let me know if this is the proper syntax... Thanks in advance.

Showstopper
0
 
LVL 2

Expert Comment

by:parbul
ID: 12261979
Hi..

Not,  you need put :

static (inside, outside) tcp interface 80 192.168.50.2 80

Yes, you need put the word  "interface" , the pix know what the interface is sustituded for  outside  and otside is eth0 and inside is  eth1  by default.

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 23

Expert Comment

by:Tim Holman
ID: 12265884
..and of course the access list that allows port 80 to talk to the external address.
0
 

Author Comment

by:showstopper1970
ID: 12290746
Can you give me an example of how the access list would look like?

Would this be right?

access list inbound permit tcp any host interface eq www
0
 
LVL 2

Expert Comment

by:parbul
ID: 12292101
Yes  

access list inbound permit tcp any host interface eq www     is okay

and not forget  the access-group   to  aply a outside interface:

access-group inbound in interface outside
0
 

Author Comment

by:showstopper1970
ID: 12299190
Ok... The first command -- static (inside, outside) tcp interface 80 192.168.50.2 80  - Works

The second command -- access-list inbound permit tcp any host interface eq www --- Returns the following error: ERROR: invalid IP address interface

Any thoughts?

0
 

Author Comment

by:showstopper1970
ID: 12299425
In addition to my note above .... I put in:

access-list inbound permit tcp any host xx.xx.xx.xx eq www  (Where xx is the dynamically assigned IP address) and it works !!!

However, since this address is dynamic it will change leaving me without access to my internal network in the near future?

Can somebody suggest an alternative?
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 1200 total points
ID: 12300415
You should have a rough idea of what your ISP's DHCP range is, so just allow access for that whole network -

eg - access-list inbound permit tcp any 195.54.0.0 255.255.0.0 eq www
0
 

Author Comment

by:showstopper1970
ID: 12302303
Thanks guys.. I am going to split the points.  Your tips helped me to get this operational.

0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question