Port Redirection with limited Public IP

Unanswered Question
Jan 9th, 2008

Hi need expert help, can Cisco pix 515 translate a single public ip to multiple internal IP? I need to redirect let us say smtp traffic to one private ip and http traffic to another private ip listening from the same public ip. Can this be done? Is there any configuration examples I could follow? Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
gfullage Wed, 01/09/2008 - 20:33

Sure can. Assuming you have that single public IP configured on the PIX's outside interface, do the following:

static (inside,outside) tcp interface 25 25 netmask

static (inside,outside) tcp interface 80 80 netmask

access-list inbound permit tcp any interface outside eq 25

access-list inbound permit tcp any interface outside eq 80

access-group inbound in interface outside

Any traffic coming in on TCP/25 for the outside IP address of the PIX will be forwarded internally to on port 25. Any traffic for port 80 will be forwarded to

jordielau Mon, 06/23/2008 - 22:35

hope you can help me ,i config my pix 515e following yours,but i still cann't access the web server.following is my configuration:

PIX Version 7.2(1)


hostname wanshitong

domain-name wanshitong.com

enable password vda4u.Aio7ssMh5X encrypted




interface Ethernet0

nameif outside

security-level 0

ip address 218.xx.xx.26


interface Ethernet1

nameif inside

security-level 100

ip address


passwd vda4u.Aio7ssMh5X encrypted

boot system flash:/image.bin

ftp mode passive

dns server-group DefaultDNS

domain-name wanshitong.com

same-security-traffic permit intra-interface

access-list 100 extended permit tcp any interface outside eq www

access-list 100 extended permit ip any any

access-list 101 extended permit ip any any

pager lines 24

logging enable

logging asdm errors

mtu outside 1500

mtu inside 1500

no failover

monitor-interface outside

monitor-interface inside

asdm image flash:/asdm521.bin

asdm history enable

arp timeout 14400


global (outside) 1 interface

nat (inside) 1

nat (inside) 1

nat (inside) 1

nat (inside) 1

static (inside,outside) tcp interface www www netmask

access-group 100 in interface outside

access-group 101 in interface inside

route outside 218.xx.xx.254 1

route inside 1

route inside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

username cisco password 3USUcOPFUiMCO4Jk encrypted

http server enable

http outside

http inside

http inside

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

telnet outside

telnet inside

telnet inside

telnet inside

telnet inside

telnet timeout 5

ssh outside

ssh timeout 60

ssh version 1

console timeout 0


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect http

inspect ftp

inspect dns

inspect icmp

inspect icmp error

inspect tftp

inspect esmtp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect sip

inspect sqlnet

inspect sunrpc

inspect xdmcp

policy-map type inspect dns migrated_dns_map_1


message-length maximum 512


service-policy global_policy global

tftp-server inside pix721

prompt hostname context


: end


nomair_83 Mon, 06/30/2008 - 04:56

just telnet to "interface ip" 80 from outside

and check the acl hits and logs.



This Discussion