[c-nsp] NAT/ACL options in a PIX

Wed Aug 27 04:07:19 EDT 2008

If I understand you correctly, what you're trying to achieve is a kind of load balance, you want the pix to listen to the outside public address on a certain port, such as 8080, and to forward a request to several internal hosts on different "inside" ports
I'll try to make a diagram to see if is this correct.

External IP (8080)   ---------------- Host A (8080)
                          | \
                          |  \
                          |   \
                          |    \
                          |     \
                          |      Host B (8081)
                   Host C (8082)

Is this what you're trying to do?

I'm not aware of any way of doing this on a PIX with ver. 6.3.5
If someone knows a way, I'll be glad to hear about it too.
Ziv

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Ramz
Sent: Wednesday, August 27, 2008 5:21 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] NAT/ACL options in a PIX

Version 6.3.5
PIX 515

We have been assigned 25 Public IP addresses by our ISP and I want administer them in the most efficient way.

We get a lot of requests for external access to different hosts in our private network. For example:

Public trusted IP address requesting access: P.P.P.2
Public IP address assigned by ISP: Q.Q.Q.10
Internal host IP: 10.10.10.111
port 80 or 8080 (http://10.10.10.111/site:8080

So far every time we get a request we do this:

static (inside,outside) Q.Q.Q.10 10.10.10.111 netmask 255.255.255.255 0 0
access-list ACL_NAME permit tcp host P.P.P.2 host Q.Q.Q.10 eq 8080

QUESTION
1- Is it possible to do what I believe is called PAT and reuse the same public ip address(Q.Q.Q.10) when I get a second request to access a DIFFERENT host(10.10.10.112) and redirect them to port 8081 for example? If possible, how?

Today I got a request to allow access to an internal host(10.10.10.110) that I have already mapped with this public IP: Q.Q.Q.9 . The source ip address is: P.P.P.3 . These are the statements already in the PIX:

static (inside,outside) Q.Q.Q.9 10.10.10.110 netmask 255.255.255.255 0 0
access-list ACL_NAME permit tcp host P.P.P.1 host Q.Q.Q.9 eq 8080

I need to allow P.P.P.3 to access the same internal host (Q.Q.Q.9). I tried to assigned a different Public ip address(Q.Q.Q.11) but I got this message:

ERROR: duplicate of existing static

QUESTION
2- Is there anyway to allow 2 IP addresses to access the same host on the same port-it could be different-?

I appreciate any help since I am a beginner on this subject

Thanks

John

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************