[c-nsp] NAT/ACL options in a PIX

John Ramz sforcejr at yahoo.com
Tue Aug 26 22:32:05 EDT 2008


--CORRECTION---

As a part of my 2nd question I made a mistake on the internal host IP. This is the correction:

I need to allow P.P.P.3 to access the same internal host
(10.10.10.110). I tried to assigned a different Public ip
address(Q.Q.Q.11)...........


Thanks 



--- On Tue, 8/26/08, John Ramz <sforcejr at yahoo.com> wrote:

> From: John Ramz <sforcejr at yahoo.com>
> Subject: NAT/ACL options  in a PIX
> To: cisco-nsp at puck.nether.net
> Date: Tuesday, August 26, 2008, 9:21 PM
> Version 6.3.5
> PIX 515
> 
> We have been assigned 25 Public IP addresses by our ISP and
> I want to administer them in the most efficient way.
> 
> We get a lot of requests for external access to different
> hosts in our private network. For example:
> 
> Public trusted IP address requesting access: P.P.P.2
> Public IP address assigned by ISP: Q.Q.Q.10
> Internal host IP: 10.10.10.111
> port 80 or 8080 (http://10.10.10.111/site:8080
> 
> So far every time we get a request we do this:
> 
> static (inside,outside) Q.Q.Q.10 10.10.10.111 netmask
> 255.255.255.255 0 0
> access-list ACL_NAME permit tcp host P.P.P.2 host Q.Q.Q.10
> eq 8080
> 
> QUESTION
> 1- Is it possible to do what I believe is called PAT and
> reuse the same public ip address(Q.Q.Q.10) when I get a
> second request to access a DIFFERENT host(10.10.10.112) and
> redirect them to port 8081 for example? If possible, how?
> 
> 
> 
> Today I got a request to allow access to an internal
> host(10.10.10.110) that I have already mapped with this
> public IP: Q.Q.Q.9 . The source ip address is: P.P.P.3 .
> These are the statements already in the PIX:
> 
> static (inside,outside) Q.Q.Q.9 10.10.10.110 netmask
> 255.255.255.255 0 0
> access-list ACL_NAME permit tcp host P.P.P.1 host Q.Q.Q.9
> eq 8080
> 
> I need to allow P.P.P.3 to access the same internal host
> (Q.Q.Q.9). I tried to assigned a different Public ip
> address(Q.Q.Q.11) but I got this message:
> 
> ERROR: duplicate of existing static
> 
> QUESTION
> 2- Is there anyway to allow 2 IP addresses to access the
> same host on the same port-it could be different-?
> 
> I appreciate any help since I am a beginner on this subject
> 
> 
> Thanks
> 
> John


      


More information about the cisco-nsp mailing list