PAT/overload from outside to inside

tato386 · ‎10-16-2007

I have host using a private internal IP that will only talk to machines on the same private IP. I need to have public IPs talk to this machine. I have a PIX that uses the same private IP subnet on its inside interface. What I would like to do is a PAT/overload scenario in reverse where multiple outside hosts will talk to the inside host using one IP from the private subnet. I think I have seen this mentioned somewhere but can't find it. One caveat is that the PIX must also do PAT/overload for internal hosts going out to the Internet at the same time. Is this possible?

Thanks,

Diego

sundar.palaniappan · ‎10-16-2007

Diego,

You can do this with static, NAT and ACL to address both requirements.

Here's a configuration example that you can use to build your configuration.

Inside Web Host that needs to be accessed from Outside: 192.168.1.2

int e0

nameif outside

security-level 0

ip add 172.16.1.1 255.255.255.0

int e1

nameif inside

security-level 100

ip add 192.168.1.1 255.255.255.0

access-group acl_outside in interface outside

access-list acl_outside permit tcp any host 172.16.1.1 eq www

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface

static (inside,outside) interface 192.168.1.2 tcp 80

HTH

Sundar

Jon Marshall · ‎10-16-2007

Hi Diego

Sundar has covered most of this but to PAT all outside addresses

access-list PATIN permit ip any host 172.16.1.1

(Note, i'm using Sundar's IP addressing and you might want to tie access down to the particular tcp/udp ports)

nat (outside) 2 access-list PATIN outside

global (inside) 2 interface

HTH

Jon

tato386 · ‎10-18-2007

Thanks guys. I will give this a shot and let you know what happens.