[c-nsp] NAT/ACL options in a PIX
Jules Rogers
jules.rogers at gmail.com
Tue Aug 26 23:23:26 EDT 2008
Here's an example of port redirection that I know works with PIX OS 7.0(4).
I've never tried it with 6.3(5).
# Access lists for the outside interface is configured to allow traffic
from the Internet to 172.16.1.10 for web, terminal services and ftp.
# You will see from the static commands later on that each of these
requests will go to a different server on the inside.
*access-list outside-entry extended permit tcp any host 172.16.1.1 eq www
access-list outside-entry extended permit tcp any host 172.16.1.1 eq 3389
access-list outside-entry extended permit tcp any host 172.16.1.1 eq ftp
*
# When going from a higher interface to a lower interface a NAT and global
command are used.
# Any address on the 10.1.1.0 / 24 inside network going to the outside will
use PAT translating the source IP
# to the IP address that is configured on the outside interface above.
*
global (outside) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0 *
# These static commands take all www requests to the public ip address of
172.16.1.1 and forwards them to the inside ip address
# 10.1.1.10 on port 80. The same is done for terminal services and ftp
requests to 172.16.1.1, however, each of these are forwarded
# to different inside ip addresses.
*
static (inside,outside) tcp 172.16.1.1 www 10.1.1.10 www netmask
255.255.255.255
static (inside,outside) tcp 172.16.1.1 3389 10.1.1.12 3389 netmask
255.255.255.255
static (inside,outside) tcp 172.16.1.1 ftp 10.1.1.15 ftp netmask
255.255.255.255*
On Tue, Aug 26, 2008 at 9:21 PM, John Ramz <sforcejr at yahoo.com> wrote:
> Version 6.3.5
> PIX 515
>
> We have been assigned 25 Public IP addresses by our ISP and I want
> administer them in the most efficient way.
>
> We get a lot of requests for external access to different hosts in our
> private network. For example:
>
> Public trusted IP address requesting access: P.P.P.2
> Public IP address assigned by ISP: Q.Q.Q.10
> Internal host IP: 10.10.10.111
> port 80 or 8080 (http://10.10.10.111/site:8080
>
> So far every time we get a request we do this:
>
> static (inside,outside) Q.Q.Q.10 10.10.10.111 netmask 255.255.255.255 0 0
> access-list ACL_NAME permit tcp host P.P.P.2 host Q.Q.Q.10 eq 8080
>
> QUESTION
> 1- Is it possible to do what I believe is called PAT and reuse the same
> public ip address(Q.Q.Q.10) when I get a second request to access a
> DIFFERENT host(10.10.10.112) and redirect them to port 8081 for example?
> If possible, how?
>
>
>
> Today I got a request to allow access to an internal host(10.10.10.110)
> that I have already mapped with this public IP: Q.Q.Q.9 . The source ip
> address is: P.P.P.3 . These are the statements already in the PIX:
>
> static (inside,outside) Q.Q.Q.9 10.10.10.110 netmask 255.255.255.255 0 0
> access-list ACL_NAME permit tcp host P.P.P.1 host Q.Q.Q.9 eq 8080
>
> I need to allow P.P.P.3 to access the same internal host (Q.Q.Q.9). I tried
> to assigned a different Public ip address(Q.Q.Q.11) but I got this message:
>
> ERROR: duplicate of existing static
>
> QUESTION
> 2- Is there anyway to allow 2 IP addresses to access the same host on the
> same port-it could be different-?
>
> I appreciate any help since I am a beginner on this subject
>
>
> Thanks
>
> John
>
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
Jules Rogers
More information about the cisco-nsp
mailing list