Port redirect to inside host on a Cisco PIX firewall

Contributor Icon Contributed by lvance Date Icon September 23, 2004  
Tag Icon Tagged: Cisco firewall

How to configure a PIX to redirect traffic to an inside host via port re-direction. An expample would be if you allowed your PIX to get its external address via DHCP but you wanted to access a ftp server on the inside of your firewall as well as maybe another host for vnc.


First you have to add a static entry for the host and port redirecting like this:
static (inside,outside) tcp 68.206.140.100 ftp 192.168.1.100 ftp netmask 255.255.255.255
static (inside,outside) tcp 68.206.140.100 5900 192.168.1.110 5900 netmask 255.255.255.255

Note: The 68.206.140.100 is your outside interface that was assigned via dhcp.

Then you need to build an ACL to allow access through the PIX:

access-list outside-inbound permit tcp any host 68.206.140.100 eq ftp
access-list outside-inbound permit tcp host 65.205.64.60 host 68.206.140.100 eq 5900

Now you can ftp from anywhere to the outside IP Address of the PIX and be redirected to 192.168.1.100 on the inside ftp server.

You can now also vnc to the outside interface and be redirected to 192.168.1.110 and access that server via vnc.

This is very helpful at times on smaller PIX’s on broadband connections etc.

Previous recipe | Next recipe |
 
  • Anonymous
    If you're being assigned an IP via DHCP by your ISP, it is likely to change if for some reason you ever have to power your PIX down (as I had to do several times this summer due to violent thunder storms).

    So wouldn't you be better off setting up your NAT using "PORT" instead of the DHCP address? Then you can sign up for a free Dynamic-DNS service (www.no-ip.com for example) which will automatically track your IP changes, and then you can ftp or vnc in by a name you create.

    Also, be sure to use strong passwords, or even better, 2-factor authentication or certificates, if you're going to open up access to common ports on your firewall.

    Just my 2-cents-worth.

    Thanks.
  • Headhunter
    If you are running a FTP/Web/Email server behind it why not just get a static IP address from the ISP and then the PIX configuration will work everytime after an unplanned/planned outage.
  • Anonymous
    The extra $30.00 a month I would have to pay my ISP so I can have static IP's gets applied to shoes or clothes or something else for my kids!

    But yes, you are right, if you have the money and you're running a high-traffic FTP or web site then static IP's are definitely the way to go.
  • Anonymous
    I've implemented the multiple statics and port forwarding using one public IP as you've said but for some reason the machines cannot go out to the Internet. There are access lists allowing this but still no luck. See the below and tell me what you think.

    Static (dmz1,outside) tcp 200.100.100.76 80 192.168.250.50 80 netmask 255.255.255.255 0 0
    Static (dmz1,outside) tcp 200.100.100.76 21 192.168.250.51 21 netmask 255.255.255.255 0 0

    Access-list dmz1 permit tcp host 192.168.250.50 any
    Access-list dmz1 permit udp host 192.168.250.50 any

    Access-list dmz1 permit tcp host 192.168.250.51 any
    Access-list dmz1 permit udp host 192.168.250.51 any

    Access-list acl-out permit tcp any host 204.100.100.76 eq 80
    Access-list acl-out permit tcp any host 204.100.100.76 eq 21
  • groucho
    you need an "access-group" command in there.
    From the pix 6.3 admin guide:
    The following example illustrates the three commands required to enable access to a web server with the external IP address 209.165.201.12:
    static (inside, outside) 209.165.201.12 10.1.1.3 netmask 255.255.255.255 0 0
    access-list acl_out permit tcp any host 209.165.201.12 eq www
    access-group acl_out in interface outside
  • omar422
    What port do you use to access a Windows VPN server on the inside of the firewall?
blog comments powered by Disqus