Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 706
  • Last Modified:

Static/ACL with a dynamic outside interface IP addr on Pix 501e

Got a pix 501e for a small office running on 6.7. It uses DHCP to get it's outside address. I use the "static" command (and an ACL) to allow inbound traffic.  However, I have only been able to identify the outside interface via it's IP address. I haven't figured a way to use "interface outside" within static or acl.  So when the outside address loses it's lease and gets a new ip addr, my static command fails.  Any way to do static and acls with a changing outside IP address??
0
umbasa
Asked:
umbasa
  • 2
  • 2
1 Solution
 
Darkstriker69Commented:
Are you using the keyword interface for your static IP address.
 For example, if you had a web server on your local network at 192.168.1.11 ...

static (inside,oustide) tcp inteface www 192.168.1.11 www netmask 255.255.255.255
access-list OUTSIDE_IN permit tcp any host 192.168.1.11 eq www

Also you can check out dynamic dns for people to be able to connect to your server baced on a DNS name instead of your changing IP address.

Hope this helps,
Darkstriker69
0
 
umbasaAuthor Commented:
THANKS! This was my error:
rtr(config)# static (inside,outside) tcp interface outside www 10.98.18.55 www netmask 255.255.255.255 5 5
invalid global port outside
Usage:  [no] static [(real_ifc, mapped_ifc)]
                {<mapped_ip>|interface}
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
        [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
rtr(config)#
0
 
umbasaAuthor Commented:
YOU WERE INCORRECT ON ACL, IT'S REALLY S/B -

access-list OUTSIDE_IN permit tcp any interface outside eq www

no one outside will send packet to an internal private IP when the outside interface itself is DHCP'd

0
 
Darkstriker69Commented:
Yes, that would work quite a bit better than my ACL wouldnt it.

glad it is sorted out for you.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now