Comments on: Port redirect to inside host on a Cisco PIX firewall http://www.tech-recipes.com/rx/711/port-redirect-to-inside-host-on-a-cisco-pix-firewall/ Computer and technology tutorials and guides Sat, 21 Nov 2009 16:14:40 -0800 http://wordpress.org/?v=2.8.6 hourly 1 By: Marcus http://www.tech-recipes.com/rx/711/port-redirect-to-inside-host-on-a-cisco-pix-firewall/comment-page-1/#comment-13031 Marcus Tue, 30 Jun 2009 17:29:53 +0000 guid-fix-me!#comment-13031 But before you give up if the ip phones talk directly, check whether they are working ... Then you can sign up for a free Dynamic-DNS service as told in the comments then follow the instructions..<br><a href="http://www.maytech.net/ftp_intro.php" rel="follow" rel="nofollow">FTP service</a> But before you give up if the ip phones talk directly, check whether they are working … Then you can sign up for a free Dynamic-DNS service as told in the comments then follow the instructions..
FTP service

]]> By: http://www.tech-recipes.com/rx/711/port-redirect-to-inside-host-on-a-cisco-pix-firewall/comment-page-1/#comment-3060 Wed, 20 Sep 2006 13:16:03 +0000 guid-fix-me!#comment-3060 I've implemented the multiple statics and port forwarding using one public IP as you've said but for some reason the machines cannot go out to the Internet. There are access lists allowing this but still no luck. See the below and tell me what you think. Static (dmz1,outside) tcp 200.100.100.76 80 192.168.250.50 80 netmask 255.255.255.255 0 0 Static (dmz1,outside) tcp 200.100.100.76 21 192.168.250.51 21 netmask 255.255.255.255 0 0 Access-list dmz1 permit tcp host 192.168.250.50 any Access-list dmz1 permit udp host 192.168.250.50 any Access-list dmz1 permit tcp host 192.168.250.51 any Access-list dmz1 permit udp host 192.168.250.51 any Access-list acl-out permit tcp any host 204.100.100.76 eq 80 Access-list acl-out permit tcp any host 204.100.100.76 eq 21 I’ve implemented the multiple statics and port forwarding using one public IP as you’ve said but for some reason the machines cannot go out to the Internet. There are access lists allowing this but still no luck. See the below and tell me what you think.

Static (dmz1,outside) tcp 200.100.100.76 80 192.168.250.50 80 netmask 255.255.255.255 0 0
Static (dmz1,outside) tcp 200.100.100.76 21 192.168.250.51 21 netmask 255.255.255.255 0 0

Access-list dmz1 permit tcp host 192.168.250.50 any
Access-list dmz1 permit udp host 192.168.250.50 any

Access-list dmz1 permit tcp host 192.168.250.51 any
Access-list dmz1 permit udp host 192.168.250.51 any

Access-list acl-out permit tcp any host 204.100.100.76 eq 80
Access-list acl-out permit tcp any host 204.100.100.76 eq 21

]]> By: http://www.tech-recipes.com/rx/711/port-redirect-to-inside-host-on-a-cisco-pix-firewall/comment-page-1/#comment-759 Wed, 29 Sep 2004 13:41:39 +0000 guid-fix-me!#comment-759 The extra $30.00 a month I would have to pay my ISP so I can have static IP's gets applied to shoes or clothes or something else for my kids! But yes, you are right, if you have the money and you're running a high-traffic FTP or web site then static IP's are definitely the way to go. The extra $30.00 a month I would have to pay my ISP so I can have static IP’s gets applied to shoes or clothes or something else for my kids!

But yes, you are right, if you have the money and you’re running a high-traffic FTP or web site then static IP’s are definitely the way to go.

]]> By: Headhunter http://www.tech-recipes.com/rx/711/port-redirect-to-inside-host-on-a-cisco-pix-firewall/comment-page-1/#comment-758 Headhunter Wed, 29 Sep 2004 13:20:20 +0000 guid-fix-me!#comment-758 If you are running a FTP/Web/Email server behind it why not just get a static IP address from the ISP and then the PIX configuration will work everytime after an unplanned/planned outage. If you are running a FTP/Web/Email server behind it why not just get a static IP address from the ISP and then the PIX configuration will work everytime after an unplanned/planned outage.

]]> By: http://www.tech-recipes.com/rx/711/port-redirect-to-inside-host-on-a-cisco-pix-firewall/comment-page-1/#comment-755 Wed, 29 Sep 2004 07:48:38 +0000 guid-fix-me!#comment-755 If you're being assigned an IP via DHCP by your ISP, it is likely to change if for some reason you ever have to power your PIX down (as I had to do several times this summer due to violent thunder storms). So wouldn't you be better off setting up your NAT using "PORT" instead of the DHCP address? Then you can sign up for a free Dynamic-DNS service (www.no-ip.com for example) which will automatically track your IP changes, and then you can ftp or vnc in by a name you create. Also, be sure to use strong passwords, or even better, 2-factor authentication or certificates, if you're going to open up access to common ports on your firewall. Just my 2-cents-worth. Thanks. If you’re being assigned an IP via DHCP by your ISP, it is likely to change if for some reason you ever have to power your PIX down (as I had to do several times this summer due to violent thunder storms).

So wouldn’t you be better off setting up your NAT using “PORT” instead of the DHCP address? Then you can sign up for a free Dynamic-DNS service (www.no-ip.com for example) which will automatically track your IP changes, and then you can ftp or vnc in by a name you create.

Also, be sure to use strong passwords, or even better, 2-factor authentication or certificates, if you’re going to open up access to common ports on your firewall.

Just my 2-cents-worth.

Thanks.

]]>