Static/ACL with a dynamic outside interface IP addr on Pix 501e

Posted on 2007-09-28
Last Modified: 2008-01-09
Got a pix 501e for a small office running on 6.7. It uses DHCP to get it's outside address. I use the "static" command (and an ACL) to allow inbound traffic.  However, I have only been able to identify the outside interface via it's IP address. I haven't figured a way to use "interface outside" within static or acl.  So when the outside address loses it's lease and gets a new ip addr, my static command fails.  Any way to do static and acls with a changing outside IP address??
Question by:umbasa
    LVL 5

    Accepted Solution

    Are you using the keyword interface for your static IP address.
     For example, if you had a web server on your local network at ...

    static (inside,oustide) tcp inteface www www netmask
    access-list OUTSIDE_IN permit tcp any host eq www

    Also you can check out dynamic dns for people to be able to connect to your server baced on a DNS name instead of your changing IP address.

    Hope this helps,

    Author Comment

    THANKS! This was my error:
    rtr(config)# static (inside,outside) tcp interface outside www www netmask 5 5
    invalid global port outside
    Usage:  [no] static [(real_ifc, mapped_ifc)]
                    {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                    [dns] [norandomseq] [<max_conns> [<emb_lim>]]
            [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                    {<mapped_ip>|interface} <mapped_port>
                    {<real_ip> <real_port> [netmask <mask>]} |
                    {access-list <acl_name>}
                    [dns] [norandomseq] [<max_conns> [<emb_lim>]]

    Author Comment


    access-list OUTSIDE_IN permit tcp any interface outside eq www

    no one outside will send packet to an internal private IP when the outside interface itself is DHCP'd

    LVL 5

    Expert Comment

    Yes, that would work quite a bit better than my ACL wouldnt it.

    glad it is sorted out for you.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
    We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now