• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 576
  • Last Modified:

Pix 501 port mapping with static entries.. need help please.

Hopefully this is an easy one.

I have a Pix 501 that I need some config help with.  I know how to do one to one port mappings using ACL's and static maps.  The problem is now I have a need to open many ports for a software app I am running and I know there has to be a better way than what I am thinking.  
Currently I have the following ACL to allow port range 1024-2048 into the network:

access-list outside_in permit tcp any interface outside range 1024 2048

Now I just need to figure out how to assign those ports to my internal server interface without creating 1000 "static (inside,outside)" entries.  I only have one public IP address available at the moment so can anyone help me with this?  

I know the command "static (inside,outside) 74.x.x.x 192.x.x.x netmask"   will assign that 74.x IP address exclusively to the internal 192.x server but then that won't work because other devices rely on the same 74.x public address for other functions.  

So.. what "static (inside,outside)"  command am I missing to allow this to happen.

  • 6
  • 3
1 Solution
access-list acl4static permit tcp any interface outside range 1024 2048
static (inside,outside) 74.x.x.x 192.x.x.x netmask access-list acl4static 0 0
bwoodenAuthor Commented:
Is that going to kill my other static entries?  

for example I have:
static (inside,outside) tcp interface smtp 192.x.x.x smtp netmask 0 0
no it won't because the range 1024 2048 doesn't contain port 25.
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

bwoodenAuthor Commented:
Sorry, let me clarify my question a little further.  I think I referenced the wrong part of my config. Your static command makes sense to me, but i am curious if it will interfere with my NAT on the firewall since it looks like a variation of "static (inside,outside) 74.x.x.x 192.x.x.x netmask"  which killed my config.  I am guessing that command killed my config because it wiped out my NAT interface and essentially the firewall had no public IP assigned to it at that point since it was exclusively assigned to the server.   Does that make sense?  Wouldn't I need a second public IP address to assign to my firewall/NAT interface at that point?
nat is used to let traffic flow from a high security level to a lower level, basically from inside to outside. The static is used to map (xlate) a specific ip/port on the inside to a public ip.
This should not kill your firewall config. The problem you had with "static (inside,outside) 74.x.x.x 192.x.x.x netmask" was that it was binding all ports of public ip to your one server, therefore braking static assignment of other ports to different servers on the inside.

In anycase can you post your configuration? At least global and nat and statics

bwoodenAuthor Commented:
Here is my working config in all its sanitized goodness:

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1GAe0QHvfKZrrGbf encrypted
passwd 1GAe0QHvfKZrrGbf encrypted
hostname <my pix>
domain-name <my domain>
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list no_nat permit ip 192.168.x.0 192.168.x.0
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq ftp
access-list outside_in permit tcp any interface outside eq smtp
access-list split permit ip
access-list vpn_acl permit ip
access-list rbs_acl permit tcp any interface outside range 1024 2048  
pager lines 24
logging on
logging timestamp
logging monitor informational
logging buffered informational
logging trap informational
logging host inside 192.168.x.21
mtu outside 1500
mtu inside 1500
ip address outside 74.x.x.x 255.x.x.x
ip address inside 192.x.x.x
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_pool 192.168.x.1-192.168.x.20
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0 0
static (inside,outside) tcp interface smtp 192.168.x.11 smtp netmask 0 0
static (inside,outside) tcp interface www 192.168.x.11 www netmask 0 0
static (inside,outside) tcp interface ftp 192.168.x.11 ftp netmask 0 0
access-group outside_in in interface outside
route outside 74.x.x.x 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server local protocol tacacs+
aaa-server local max-failed-attempts 3
aaa-server local deadtime 10
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.x.0 inside
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup irn_vpn idle-time 1800
vpngroup test_vpn address-pool vpn_pool
vpngroup test_vpn dns-server 192.168.x.11
vpngroup test_vpn wins-server 192.168.x.11
vpngroup test_vpn default-domain domain.local
vpngroup test_vpn split-tunnel split
vpngroup test_vpn idle-time 1800
vpngroup test_vpn password ********
telnet timeout 30
ssh 192.168.x.0 inside
ssh timeout 5
console timeout 0
username <sanitized> password ZHdhybRp5.I27W9v encrypted privilege 15
terminal width 80
: end
bwoodenAuthor Commented:
when I put in the following:

static (inside,outside) 74.x.x.x 192.168.x.11 netmask access-list rbs_acl 0 0

I get:

number of maximum connections should lie between 0 and 65535

bwoodenAuthor Commented:
I think once I can get my last question about Max Connections answered this will be closed.  Everything else seems to be in order.
bwoodenAuthor Commented:
Going to award points for the effort to instillmotion and open a new question detailing my current problem

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now