Hi I got it working from an email this guy sent to me: This maps an inside server (172.16.1.10) to an outside address (64.1.109.5).
access-list 100 permit tcp any host 64.1.109.5 eq ftp static (inside,outside) 64.1.109.5 172.16.1.10 netmask 255.255.255.255 0 0 access-group 100 in interface outside try it its pretty cool, unfortunately I can't ftp from an inside PC outside and back in again for testing purposes. Also I can't ping the outside interface from internal. Lastly when I set up an access-list for telnet outside in inside this can't be allowed as the pix says it overlaps with the static I creater above for the ftp. What do you think? ""Lidiya White"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >>> Having read the section in the book a > > pix by default should allow internal users to ping out but not the other > way > > around, is there a fix for this also? > > > > > > That is not true. > > > Handling ICMP Pings with the PIX Firewall > > > http://www.cisco.com/warp/public/110/31.html > > > > Use "conduit permit icmp any any echo-reply". > > > > Before you try to FTP, try to telnet on port 21. What is the default > gateway of the FTP server? Enable "logging buffer info" and check "sh > log" for the build or teardown messages for the FTP server's ip > address.. > > > > -- Lidiya White > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > Parmjit > > Sent: Thursday, June 06, 2002 12:34 PM > > To: [EMAIL PROTECTED] > > Subject: Re: PIX 506 port translation with DHCP [7:45945] > > > > hi, > > Thanks I tried "static (inside,outside) tcp interface ftp armada ftp > netmask > > 255.255.255.255 10 0" where armada is the name of the internal ftp > server, I > > also used a conduit permit ip any any and I still can't ftp to it. > > I should also mention there is another problem unless I use a conduit > permit > > icmp any any I cannot ping out, if I prefix this with a "no" so I can't > > ping, people on the net can still ping my pix, there is nothing in the > > config in the way of access lists etc. Having read the section in the > book a > > pix by default should allow internal users to ping out but not the other > way > > around, is there a fix for this also? > > > > thanks > > > > ""brian charles"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > If you have version 6.0 or greater you can do port redirection with > the > > > static command. Create an acl to allow the traffic > > > > > > > > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref > /s.h > > tm#xtocid20 > > > > > > > > > static > > > Maps a local IP address to a global IP address (NAT) and supports TCP > and > > > UDP port redirection (static PAT). (Configuration mode.) > > > > > > [no] static [(internal_if_name, external_if_name)] {tcp | udp} > {global_ip > > | > > > interface} global_port local_ip local_port [netmask mask] [max_conns > > > [em_limit]] [norandomseq] > > > > > > show static Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46029&t=45945 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
