Re: PIX Confusion [7:54875]
Here's my config access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any source-quench access-list 101 permit icmp any any unreachable access-list 101 permit icmp any any time-exceeded access-list 101 permit tcp any host 192.168.1.2 eq ftp access-list 101 permit tcp any host 192.168.1.2 eq www access-list 101 permit tcp any any eq www pager lines 24 interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface ftp 192.168.1.2 ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.255 0 0 access-group 101 in interface outside I can ping OK, but cant access web or ftp from outside. ""NetEng"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I have a PIX 501 and get a single IP from my ISP. I would like to set up an > FTP conduit, but on port 5051. I can't find any docs on how to do this. When > I play around it it states that I have to change my NAT rules too. I still > want all inside users access outside. Any info or links are appreciated. > > NetEng Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54918&t=54875 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Confusion [7:54875]
Still confused, I'm using access-lists Here's the example from cisco: static (inside, outside) 175.1.1.254 192.168.1.2 access-list 101 permit tcp host any host 192.168.1.2 eq ftp access-group 101 in interface outside Here's my questions: I'm using DHCP for my outside address, can I still PAT the port for FTP? How do I change the above static line to use the DHCP assigned address? NetEng ""NetEng"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I have a PIX 501 and get a single IP from my ISP. I would like to set up an > FTP conduit, but on port 5051. I can't find any docs on how to do this. When > I play around it it states that I have to change my NAT rules too. I still > want all inside users access outside. Any info or links are appreciated. > > NetEng Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54913&t=54875 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Confusion [7:54875]
Try this: static (inside,outside) tcp interface ftp 192.168.1.2(or IP of your internal host) 5051 netmask 255.255.255. 255 0 0 -Original Message- From: NetEng [mailto:[EMAIL PROTECTED]] Sent: Friday, October 04, 2002 11:10 AM To: [EMAIL PROTECTED] Subject: PIX Confusion [7:54875] I have a PIX 501 and get a single IP from my ISP. I would like to set up an FTP conduit, but on port 5051. I can't find any docs on how to do this. When I play around it it states that I have to change my NAT rules too. I still want all inside users access outside. Any info or links are appreciated. NetEng Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54894&t=54875 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Confusion [7:54875]
>From Cisco's website: You can use the fixup command to change the default port assignments or to enable or disable application inspection for the following protocols and applications: a.. FTP b.. H.323 c.. HTTP d.. ILS e.. RSH f.. RTSP g.. SIP h.. SKINNY (SCCP) i.. SMTP j.. SQL*Net The basic syntax for the fixup command is as follows: [no] fixup protocol [protocol] [port] http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/fixu p.htm#xtocid2 The command would be fixup protocol ftp 5051 And as far as changing your NAT statements, I believe as long as you use the keyword ftp in your commands, it will adjust to the port number change. ""NetEng"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I have a PIX 501 and get a single IP from my ISP. I would like to set up an > FTP conduit, but on port 5051. I can't find any docs on how to do this. When > I play around it it states that I have to change my NAT rules too. I still > want all inside users access outside. Any info or links are appreciated. > > NetEng Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54886&t=54875 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
