[c-nsp] NAT/ACL options in a PIX

[Vinny Abello]

Correct, you are doing NAT as a straight 1 to 1 translation for traffic. Using PAT, you can specify either TCP or UDP traffic and the outside and inside port numbers. This is still accomplished with the static statement. You'll still need the access-list entry as well unless you have another rule already covering it.

I'm confused though... If you need a different external host to access an internal server, why can't use reuse the same outside address in the translation? The PIX does extended translation automatically. Just add it to the access-list, or did I misunderstand?

If you are doing this on a different port and want to map various ports on one external IP to different internal hosts or ports, you can do this as well with the static statement:

static (inside,outside) tcp 1.2.3.4 8080 10.10.10.110 8081 netmask 255.255.255.255 0 0

This maps traffic that matches TCP port 8080 hitting the outside address of 1.2.3.4 to port 8081 on internal IP 10.10.10.110.

I wasn't quite clear with your alphanumeric examples, but I hope this helps. I believe you truly just want to keep adding more entries to your access-list. Once you have a translation be it NAT or PAT defined, the access control is done through the access-list at that point.

-Vinny

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of John Ramz
> Sent: Tuesday, August 26, 2008 10:32 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] NAT/ACL options in a PIX
>
> --CORRECTION---
>
> As a part of my 2nd question I made a mistake on the internal host IP.
> This is the correction:
>
> I need to allow P.P.P.3 to access the same internal host
> (10.10.10.110). I tried to assigned a different Public ip
> address(Q.Q.Q.11)...........
>
>
> Thanks
>
>
>
> --- On Tue, 8/26/08, John Ramz <sforcejr at yahoo.com> wrote:
>
> > From: John Ramz <sforcejr at yahoo.com>
> > Subject: NAT/ACL options  in a PIX
> > To: cisco-nsp at puck.nether.net
> > Date: Tuesday, August 26, 2008, 9:21 PM
> > Version 6.3.5
> > PIX 515
> >
> > We have been assigned 25 Public IP addresses by our ISP and
> > I want to administer them in the most efficient way.
> >
> > We get a lot of requests for external access to different
> > hosts in our private network. For example:
> >
> > Public trusted IP address requesting access: P.P.P.2
> > Public IP address assigned by ISP: Q.Q.Q.10
> > Internal host IP: 10.10.10.111
> > port 80 or 8080 (http://10.10.10.111/site:8080
> >
> > So far every time we get a request we do this:
> >
> > static (inside,outside) Q.Q.Q.10 10.10.10.111 netmask
> > 255.255.255.255 0 0
> > access-list ACL_NAME permit tcp host P.P.P.2 host Q.Q.Q.10
> > eq 8080
> >
> > QUESTION
> > 1- Is it possible to do what I believe is called PAT and
> > reuse the same public ip address(Q.Q.Q.10) when I get a
> > second request to access a DIFFERENT host(10.10.10.112) and
> > redirect them to port 8081 for example? If possible, how?
> >
> >
> >
> > Today I got a request to allow access to an internal
> > host(10.10.10.110) that I have already mapped with this
> > public IP: Q.Q.Q.9 . The source ip address is: P.P.P.3 .
> > These are the statements already in the PIX:
> >
> > static (inside,outside) Q.Q.Q.9 10.10.10.110 netmask
> > 255.255.255.255 0 0
> > access-list ACL_NAME permit tcp host P.P.P.1 host Q.Q.Q.9
> > eq 8080
> >
> > I need to allow P.P.P.3 to access the same internal host
> > (Q.Q.Q.9). I tried to assigned a different Public ip
> > address(Q.Q.Q.11) but I got this message:
> >
> > ERROR: duplicate of existing static
> >
> > QUESTION
> > 2- Is there anyway to allow 2 IP addresses to access the
> > same host on the same port-it could be different-?
> >
> > I appreciate any help since I am a beginner on this subject
> >
> >
> > Thanks
> >
> > John
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/