• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 444
  • Last Modified:

Cisco Pix 506E. e0 is dynamically assigned.

In one of my remote offices, I have a PIX 506E Firewall. It currently runs PAT for my internal nodes and it works fine. I have also set up a VPN tunnel between my remote office and my Corporate office. However, the ISP in the remote office does not offer any static IP addresses. Therefore e0 is dynamically assigned.

However, in the branch office, I need to be able to access resources behind this firewall from an external location.

With my Pix at my Corporate office I do a static one-to-one translation and allow the necessary port number through an access-list and this allows me access to my  resources behind the firewall.

I guess my question is:

Is there anything I can do to access my internal resources on the firewall at my remote office or am I SOL?

Thanks,

Showstopper
0
showstopper1970
Asked:
showstopper1970
  • 5
  • 3
  • 2
2 Solutions
 
parbulCommented:
Hi.

You can used  port forwarding instead static nat,  port forwarding is  like static nat  but in port forwarding you only match specific port and in static nat you match all the port to one ip.

If the eth0 use a dinamic address you can put the interface word insted a ip:

static (inside, outside) tcp interface 80  internal_ip  80

In this example you  match de port 80 to a internal  ip  and you can use de interface and it is sustituded for the current ip.

Algo you need a dinamic dns  like  www.no-ip.com  and install that in a internal pc  

Greetings
0
 
showstopper1970Author Commented:
Ok, so for example if I wanted port 80 to be forwarded to an internal server i.e 192.168.50.2 I would add the following line?

static (inside, outside) tcp e0 80 192.168.50.2 80

Please let me know if this is the proper syntax... Thanks in advance.

Showstopper
0
 
parbulCommented:
Hi..

Not,  you need put :

static (inside, outside) tcp interface 80 192.168.50.2 80

Yes, you need put the word  "interface" , the pix know what the interface is sustituded for  outside  and otside is eth0 and inside is  eth1  by default.

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Tim HolmanCommented:
..and of course the access list that allows port 80 to talk to the external address.
0
 
showstopper1970Author Commented:
Can you give me an example of how the access list would look like?

Would this be right?

access list inbound permit tcp any host interface eq www
0
 
parbulCommented:
Yes  

access list inbound permit tcp any host interface eq www     is okay

and not forget  the access-group   to  aply a outside interface:

access-group inbound in interface outside
0
 
showstopper1970Author Commented:
Ok... The first command -- static (inside, outside) tcp interface 80 192.168.50.2 80  - Works

The second command -- access-list inbound permit tcp any host interface eq www --- Returns the following error: ERROR: invalid IP address interface

Any thoughts?

0
 
showstopper1970Author Commented:
In addition to my note above .... I put in:

access-list inbound permit tcp any host xx.xx.xx.xx eq www  (Where xx is the dynamically assigned IP address) and it works !!!

However, since this address is dynamic it will change leaving me without access to my internal network in the near future?

Can somebody suggest an alternative?
0
 
Tim HolmanCommented:
You should have a rough idea of what your ISP's DHCP range is, so just allow access for that whole network -

eg - access-list inbound permit tcp any 195.54.0.0 255.255.0.0 eq www
0
 
showstopper1970Author Commented:
Thanks guys.. I am going to split the points.  Your tips helped me to get this operational.

0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now