Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
0
Helpful
2
Replies

PIX NAT

limlayhin
Level 1
Level 1

‎04-20-2007 11:27 PM - edited ‎03-03-2019 04:39 PM

I have a PIX 515-E firewall which is giving me problem.

Inside our private network, we have a local host - behind my inside interface, called it HOST-A, IP 192.168.1.2.

From Internet, we have assigned 2 Public IP, both pointing to (NAT to) HOST-A, serving 2 different purpose

- One public IP : 202.1.1.3 to serve HTTP traffic

- Another public IP : 202.1.1.4 to serve POP-3 traffic.

I had used dynamic IP pool so that both Public IP is NAT to the same private - 192.168.1.2, at my outside interface.

However, I found that I need to create another NAT at my inside interface, ie 192.168.1.2 NAT to 202.1.1.3.

However, I also found that I cannot create another NAT rules for 192.168.1.2 to NAT to 202.1.1.4.

As such, our POP-3 traffic become not accessible.

Is it a limitation in PIX firewall ???

My PIX detail:

sh version

Cisco PIX Security Appliance Software Version 7.2(2)

Device Manager Version 5.2(2)

Config detail:

name 202.1.1.3 IP-HTTP

name 202.1.1.4 IP-POP

name 192.168.1.2 HOST-A

access-list outside_access_in extended permit tcp any host IP-HTTP object-group WEB-SERVICES

access-list outside_access_in extended permit tcp any host IP-POP object-group TCP-POP3-IMAP

global (inside) 1 HOST-A netmask 255.255.255.255

nat (outside) 1 IP-HTTP 255.255.255.255 outside

nat (outside) 1 IP-POP 255.255.255.255 outside

static (inside,outside) IP-HTTP HOST-A netmask 255.255.255.255

Labels:
0 Helpful
2 Replies 2

mahmoodmkl
Level 7
Level 7

‎04-20-2007 11:53 PM

Hi

I think u dnot need to nat statements as u r doing for the same IP.and u need to create a statement in access list not a seprate access-list.

try this config .

static(inside,outside) (global ip) (private ip) netamsk 255.255.255.255

access-list outside_in permit tcp any host (gobal ip) eq 80

access-list outside_in permit tcp any host (global ip) eq pop(u r pop3 port number.

and u need to apply it inbound to u r outside interface.

See if it works.

Thanks

Mahmood

0 Helpful

limlayhin
Level 1
Level 1
In response to mahmoodmkl

‎04-22-2007 08:20 PM

Manage to solve the problem with following configuration:

global (outside) 1 202.1.1.3

static (inside,outside) tcp 202.1.1.3 www 192.168.1.2 www netmask 255.255.255.255

static (inside,outside) tcp 202.1.1.4 pop3 192.168.1.2 pop3 netmask 255.255.255.255

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card