Solved

Cisco Pix 506E. e0 is dynamically assigned.

Posted on 2004-10-07
10
417 Views
Last Modified: 2013-11-16
In one of my remote offices, I have a PIX 506E Firewall. It currently runs PAT for my internal nodes and it works fine. I have also set up a VPN tunnel between my remote office and my Corporate office. However, the ISP in the remote office does not offer any static IP addresses. Therefore e0 is dynamically assigned.

However, in the branch office, I need to be able to access resources behind this firewall from an external location.

With my Pix at my Corporate office I do a static one-to-one translation and allow the necessary port number through an access-list and this allows me access to my  resources behind the firewall.

I guess my question is:

Is there anything I can do to access my internal resources on the firewall at my remote office or am I SOL?

Thanks,

Showstopper
0
Comment
Question by:showstopper1970
  • 5
  • 3
  • 2
10 Comments
 
LVL 2

Assisted Solution

by:parbul
parbul earned 200 total points
ID: 12254945
Hi.

You can used  port forwarding instead static nat,  port forwarding is  like static nat  but in port forwarding you only match specific port and in static nat you match all the port to one ip.

If the eth0 use a dinamic address you can put the interface word insted a ip:

static (inside, outside) tcp interface 80  internal_ip  80

In this example you  match de port 80 to a internal  ip  and you can use de interface and it is sustituded for the current ip.

Algo you need a dinamic dns  like  www.no-ip.com  and install that in a internal pc  

Greetings
0
 

Author Comment

by:showstopper1970
ID: 12259295
Ok, so for example if I wanted port 80 to be forwarded to an internal server i.e 192.168.50.2 I would add the following line?

static (inside, outside) tcp e0 80 192.168.50.2 80

Please let me know if this is the proper syntax... Thanks in advance.

Showstopper
0
 
LVL 2

Expert Comment

by:parbul
ID: 12261979
Hi..

Not,  you need put :

static (inside, outside) tcp interface 80 192.168.50.2 80

Yes, you need put the word  "interface" , the pix know what the interface is sustituded for  outside  and otside is eth0 and inside is  eth1  by default.

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 12265884
..and of course the access list that allows port 80 to talk to the external address.
0
 

Author Comment

by:showstopper1970
ID: 12290746
Can you give me an example of how the access list would look like?

Would this be right?

access list inbound permit tcp any host interface eq www
0
 
LVL 2

Expert Comment

by:parbul
ID: 12292101
Yes  

access list inbound permit tcp any host interface eq www     is okay

and not forget  the access-group   to  aply a outside interface:

access-group inbound in interface outside
0
 

Author Comment

by:showstopper1970
ID: 12299190
Ok... The first command -- static (inside, outside) tcp interface 80 192.168.50.2 80  - Works

The second command -- access-list inbound permit tcp any host interface eq www --- Returns the following error: ERROR: invalid IP address interface

Any thoughts?

0
 

Author Comment

by:showstopper1970
ID: 12299425
In addition to my note above .... I put in:

access-list inbound permit tcp any host xx.xx.xx.xx eq www  (Where xx is the dynamically assigned IP address) and it works !!!

However, since this address is dynamic it will change leaving me without access to my internal network in the near future?

Can somebody suggest an alternative?
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 300 total points
ID: 12300415
You should have a rough idea of what your ISP's DHCP range is, so just allow access for that whole network -

eg - access-list inbound permit tcp any 195.54.0.0 255.255.0.0 eq www
0
 

Author Comment

by:showstopper1970
ID: 12302303
Thanks guys.. I am going to split the points.  Your tips helped me to get this operational.

0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco vWLC DHCP issues 36 60
Use of vpn-filter value  in S2S VPN 2 49
Help with a subnetting question 7 58
Problems with replacment of Cisco 4510 2 25
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question