Pix port 're-mapping' assistance

Posted on 2007-07-31
Medium Priority
Last Modified: 2010-04-09

   We have a client who runs an application that comes through the firewall (Cisco Pix 506e) on port 4444.  It has been working for years with no issues until two of the local service providers blocked that port because of a blaster worm and now anyone on those two carriers cannot access the system.  This is a medical client who provides imaging to remote offices.

   We already tried to get the software vendor to change their listening port but that cannot happen.  We will need to make the Pix "re-map' so when you hit the outside IP address (statically mapped) on port 2222 it will 're-map' the incoming packets to port 4444, hit the server, and when the server sends the response back out to the internet and "re-maps" it back to port 2222 when it is delivered to the client.

   I'm pretty good with the basics on the Pix and cannot seem to get the commands correct on my test Pix box...

Question by:Sean_E_Smith
  • 2
  • 2
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 19605076
      Hi Sean_E_Smith
              static(inside,outside) tcp outsidenatip 4444 insidenatip 2222 netmask 0 0
              access-list outside_access_in permit tcp any host outsidenatip eq 4444

LVL 79

Expert Comment

ID: 19607514
You have the static backwards, MrHusy...
static (inside,outside) tcp outsideip 2222 insideip 4444 netmask 0 0
access-list outside_access_in permit tcp any host outsideip eq 2222

LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 19610921
     You are right Les. Thanks for correction.

Author Comment

ID: 19613150
Question here.

I already have a static IP NAT mapping for the server since it does other things than just give out the images.  I could not put the commands in above because it already has that static mapping.  Here is what I have in my test pix right now (trying to get this working in the office before putting it into production)

static (inside,outside) ICSDC1 netmask 0 0

Hopefully this is just me being slow here....

LVL 79

Accepted Solution

lrmoore earned 1000 total points
ID: 19614501
You have one option - and it's probably not what you want to hear.
You need to map each and every port that you are using individually.
no static (inside,outside) ICSDC1 netmask 0 0
clear xlate
static (inside,outside) tcp www ICSDC1 www netmask 0 0
static (inside,outside) tcp ftp ICSDC1 ftp netmask 0 0
static (inside,outside) tcp smtp ICSDC1 smtp netmask 0 0
static (inside,outside) tcp 2222 ICSDC1 4444 netmask 0 0

That is the ONLY way to remap an incomming tcp port to a different inside port

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question