Pix 501 port mapping with static entries.. need help please.

Posted on 2007-08-01
Last Modified: 2008-02-07
Hopefully this is an easy one.

I have a Pix 501 that I need some config help with.  I know how to do one to one port mappings using ACL's and static maps.  The problem is now I have a need to open many ports for a software app I am running and I know there has to be a better way than what I am thinking.  
Currently I have the following ACL to allow port range 1024-2048 into the network:

access-list outside_in permit tcp any interface outside range 1024 2048

Now I just need to figure out how to assign those ports to my internal server interface without creating 1000 "static (inside,outside)" entries.  I only have one public IP address available at the moment so can anyone help me with this?  

I know the command "static (inside,outside) 74.x.x.x 192.x.x.x netmask"   will assign that 74.x IP address exclusively to the internal 192.x server but then that won't work because other devices rely on the same 74.x public address for other functions.  

So.. what "static (inside,outside)"  command am I missing to allow this to happen.

Question by:bwooden
    LVL 7

    Accepted Solution

    access-list acl4static permit tcp any interface outside range 1024 2048
    static (inside,outside) 74.x.x.x 192.x.x.x netmask access-list acl4static 0 0

    Author Comment

    Is that going to kill my other static entries?  

    for example I have:
    static (inside,outside) tcp interface smtp 192.x.x.x smtp netmask 0 0
    LVL 7

    Expert Comment

    no it won't because the range 1024 2048 doesn't contain port 25.

    Author Comment

    Sorry, let me clarify my question a little further.  I think I referenced the wrong part of my config. Your static command makes sense to me, but i am curious if it will interfere with my NAT on the firewall since it looks like a variation of "static (inside,outside) 74.x.x.x 192.x.x.x netmask"  which killed my config.  I am guessing that command killed my config because it wiped out my NAT interface and essentially the firewall had no public IP assigned to it at that point since it was exclusively assigned to the server.   Does that make sense?  Wouldn't I need a second public IP address to assign to my firewall/NAT interface at that point?
    LVL 7

    Expert Comment

    nat is used to let traffic flow from a high security level to a lower level, basically from inside to outside. The static is used to map (xlate) a specific ip/port on the inside to a public ip.
    This should not kill your firewall config. The problem you had with "static (inside,outside) 74.x.x.x 192.x.x.x netmask" was that it was binding all ports of public ip to your one server, therefore braking static assignment of other ports to different servers on the inside.

    In anycase can you post your configuration? At least global and nat and statics


    Author Comment

    Here is my working config in all its sanitized goodness:

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 1GAe0QHvfKZrrGbf encrypted
    passwd 1GAe0QHvfKZrrGbf encrypted
    hostname <my pix>
    domain-name <my domain>
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    access-list no_nat permit ip 192.168.x.0 192.168.x.0
    access-list outside_in permit tcp any interface outside eq www
    access-list outside_in permit tcp any interface outside eq ftp
    access-list outside_in permit tcp any interface outside eq smtp
    access-list split permit ip
    access-list vpn_acl permit ip
    access-list rbs_acl permit tcp any interface outside range 1024 2048  
    pager lines 24
    logging on
    logging timestamp
    logging monitor informational
    logging buffered informational
    logging trap informational
    logging host inside 192.168.x.21
    mtu outside 1500
    mtu inside 1500
    ip address outside 74.x.x.x 255.x.x.x
    ip address inside 192.x.x.x
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn_pool 192.168.x.1-192.168.x.20
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list no_nat
    nat (inside) 1 0 0
    static (inside,outside) tcp interface smtp 192.168.x.11 smtp netmask 0 0
    static (inside,outside) tcp interface www 192.168.x.11 www netmask 0 0
    static (inside,outside) tcp interface ftp 192.168.x.11 ftp netmask 0 0
    access-group outside_in in interface outside
    route outside 74.x.x.x 0
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa-server local protocol tacacs+
    aaa-server local max-failed-attempts 3
    aaa-server local deadtime 10
    aaa authentication enable console LOCAL
    aaa authentication telnet console LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.x.0 inside
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client authentication LOCAL
    crypto map mymap interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 10
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup irn_vpn idle-time 1800
    vpngroup test_vpn address-pool vpn_pool
    vpngroup test_vpn dns-server 192.168.x.11
    vpngroup test_vpn wins-server 192.168.x.11
    vpngroup test_vpn default-domain domain.local
    vpngroup test_vpn split-tunnel split
    vpngroup test_vpn idle-time 1800
    vpngroup test_vpn password ********
    telnet timeout 30
    ssh 192.168.x.0 inside
    ssh timeout 5
    console timeout 0
    username <sanitized> password ZHdhybRp5.I27W9v encrypted privilege 15
    terminal width 80
    : end

    Author Comment

    when I put in the following:

    static (inside,outside) 74.x.x.x 192.168.x.11 netmask access-list rbs_acl 0 0

    I get:

    number of maximum connections should lie between 0 and 65535


    Author Comment

    I think once I can get my last question about Max Connections answered this will be closed.  Everything else seems to be in order.

    Author Comment

    Going to award points for the effort to instillmotion and open a new question detailing my current problem

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now