[c-nsp] NAT/ACL options in a PIX

Tom Sutherland tsutherland at i3businesssolutions.com
Wed Aug 27 12:25:52 EDT 2008


You might also consider a single static NAT (vs. PAT) command, then
control access with ACL's applied to the outside interface.

This will map all ports on the public side to all ports on the inside.
This way you won't have to do a lot of fudging around with "static"
commands , just ACL's.

Something like this:

access-list outside_in permit TCP host <externalIP1> host <YourPublicIP>
eq 8081
access-list outside_in permit TCP host <externalIP2> host <YourPublicIP>
eq 8082
access-list outside_in permit TCP host <externalIP3> host <YourPublicIP>
eq 8083

static (inside,outside) <YourPublicIP> <insideIP) 255.255.255.255

access-group outside_in in interface outside


On Wed, 2008-08-27 at 08:20 -0400, John Ramz wrote:

> 
> Vinny,
> 
> 
> #thanks for the reply. So, host 5.6.7.8 wants to access that internal #host. would the access list to complete it look like this:?
> 
> access-list ACL_NAME permit TCP host 5.6.7.8 host 10.10.10.110 eq 8081
> 
> 
> #Now if I get another request a to access different host (10.10.10.111). #could I reuse the same ip address (1.2.3.4) and do this:?
> 
> static (inside,outside) tcp 1.2.3.4 8080 10.10.10.111 8081 netmask 255.255.255.255 0 0
> access-list ACL_NAME permit TCP host 9.10.11.12 host 10.10.10.111 eq 8081
> 
> 
> ONE MORE QUESTION,.....
> Since I am doing NAT 1 to 1 , I already allowed 1 external host to access an internal host(10.10.10.110) on port 8080
> 
> How can I allow another external hosts(different IP address) to access the same internal host (10.10.10.110) on port 8080?
> 
> Hopefullly you can understand this last question
> 
> Thanks
> 
> 
> 
> 
> --- On Tue, 8/26/08, Vinny Abello <vinny at tellurian.com> wrote:
> 
> > From: Vinny Abello <vinny at tellurian.com>
> > Subject: RE: [c-nsp] NAT/ACL options  in a PIX
> > To: "sforcejr at yahoo.com" <sforcejr at yahoo.com>, "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> > Date: Tuesday, August 26, 2008, 10:23 PM
> > Correct, you are doing NAT as a straight 1 to 1 translation
> > for traffic. Using PAT, you can specify either TCP or UDP
> > traffic and the outside and inside port numbers. This is
> > still accomplished with the static statement. You'll
> > still need the access-list entry as well unless you have
> > another rule already covering it.
> >
> > I'm confused though... If you need a different external
> > host to access an internal server, why can't use reuse
> > the same outside address in the translation? The PIX does
> > extended translation automatically. Just add it to the
> > access-list, or did I misunderstand?
> >
> > If you are doing this on a different port and want to map
> > various ports on one external IP to different internal hosts
> > or ports, you can do this as well with the static statement:
> >
> > static (inside,outside) tcp 1.2.3.4 8080 10.10.10.110 8081
> > netmask 255.255.255.255 0 0
> >
> > This maps traffic that matches TCP port 8080 hitting the
> > outside address of 1.2.3.4 to port 8081 on internal IP
> > 10.10.10.110.
> >
> > I wasn't quite clear with your alphanumeric examples,
> > but I hope this helps. I believe you truly just want to keep
> > adding more entries to your access-list. Once you have a
> > translation be it NAT or PAT defined, the access control is
> > done through the access-list at that point.
> >
> > -Vinny
> >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-
> > > bounces at puck.nether.net] On Behalf Of John Ramz
> > > Sent: Tuesday, August 26, 2008 10:32 PM
> > > To: cisco-nsp at puck.nether.net
> > > Subject: [c-nsp] NAT/ACL options in a PIX
> > >
> > > --CORRECTION---
> > >
> > > As a part of my 2nd question I made a mistake on the
> > internal host IP.
> > > This is the correction:
> > >
> > > I need to allow P.P.P.3 to access the same internal
> > host
> > > (10.10.10.110). I tried to assigned a different Public
> > ip
> > > address(Q.Q.Q.11)...........
> > >
> > >
> > > Thanks
> > >
> > >
> > >
> > > --- On Tue, 8/26/08, John Ramz
> > <sforcejr at yahoo.com> wrote:
> > >
> > > > From: John Ramz <sforcejr at yahoo.com>
> > > > Subject: NAT/ACL options  in a PIX
> > > > To: cisco-nsp at puck.nether.net
> > > > Date: Tuesday, August 26, 2008, 9:21 PM
> > > > Version 6.3.5
> > > > PIX 515
> > > >
> > > > We have been assigned 25 Public IP addresses by
> > our ISP and
> > > > I want to administer them in the most efficient
> > way.
> > > >
> > > > We get a lot of requests for external access to
> > different
> > > > hosts in our private network. For example:
> > > >
> > > > Public trusted IP address requesting access:
> > P.P.P.2
> > > > Public IP address assigned by ISP: Q.Q.Q.10
> > > > Internal host IP: 10.10.10.111
> > > > port 80 or 8080 (http://10.10.10.111/site:8080
> > > >
> > > > So far every time we get a request we do this:
> > > >
> > > > static (inside,outside) Q.Q.Q.10 10.10.10.111
> > netmask
> > > > 255.255.255.255 0 0
> > > > access-list ACL_NAME permit tcp host P.P.P.2 host
> > Q.Q.Q.10
> > > > eq 8080
> > > >
> > > > QUESTION
> > > > 1- Is it possible to do what I believe is called
> > PAT and
> > > > reuse the same public ip address(Q.Q.Q.10) when I
> > get a
> > > > second request to access a DIFFERENT
> > host(10.10.10.112) and
> > > > redirect them to port 8081 for example? If
> > possible, how?
> > > >
> > > >
> > > >
> > > > Today I got a request to allow access to an
> > internal
> > > > host(10.10.10.110) that I have already mapped
> > with this
> > > > public IP: Q.Q.Q.9 . The source ip address is:
> > P.P.P.3 .
> > > > These are the statements already in the PIX:
> > > >
> > > > static (inside,outside) Q.Q.Q.9 10.10.10.110
> > netmask
> > > > 255.255.255.255 0 0
> > > > access-list ACL_NAME permit tcp host P.P.P.1 host
> > Q.Q.Q.9
> > > > eq 8080
> > > >
> > > > I need to allow P.P.P.3 to access the same
> > internal host
> > > > (Q.Q.Q.9). I tried to assigned a different Public
> > ip
> > > > address(Q.Q.Q.11) but I got this message:
> > > >
> > > > ERROR: duplicate of existing static
> > > >
> > > > QUESTION
> > > > 2- Is there anyway to allow 2 IP addresses to
> > access the
> > > > same host on the same port-it could be
> > different-?
> > > >
> > > > I appreciate any help since I am a beginner on
> > this subject
> > > >
> > > >
> > > > Thanks
> > > >
> > > > John
> > >
> > >
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list