Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
3
Replies

PAT Translation impossibility query.

danparsons
Level 1
Level 1

‎02-25-2008 05:31 AM - edited ‎03-11-2019 05:08 AM

Hi,

Right the setup is a pix 501 with one outside IP. Lets say 213.213.213.213.

What needs to be done is to allow an external company access (on ip 10.10.10.10) to 3 computers (192.168.1.1-192.168.1.3)on port 80. For remote access.

Now as far as I know I can only allow access from this external ip address to 1 of the computers as I only have one external IP (the firewall interface) and therefore only one port 80. As in these three lines of config:

access-list services permit tcp host 10.10.10.10 host 213.213.213.213 eq www

static (inside,outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255 0 0

access-group services in interface outside

In conclusion there is no way I can allow access to the other two internal ips 192.168.1.2 or .3 from the external company ip 10.10.10.10.

All I need to know is if I am incorrect or if there is another way round it without more external IPs.

Many thanks for reading,

Daniel.

Labels:
0 Helpful
3 Replies 3

acomiskey
Level 10
Level 10

‎02-25-2008 05:38 AM

You are correct unless you use ports other than 80 for the other 2 servers like this...

static (inside,outside) tcp interface 8080 192.168.1.2 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8081 192.168.1.3 www netmask 255.255.255.255 0 0

0 Helpful

danparsons
Level 1
Level 1
In response to acomiskey

‎02-25-2008 05:49 AM

Thanks for the help guys.. just to summarise>

I have now got three entries:

static (inside,outside) tcp interface www 192.168.2.101 www netmask 255.255.255.

255 0 0

static (inside,outside) tcp interface 81 192.168.2.102 www netmask 255.255.255.2

55 0 0

static (inside,outside) tcp interface 82 192.168.2.103 www netmask 255.255.255.2

55 0 0

The remote company should now be able to access all three. Just for info they are using gotomypc.

Thanks Again.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎02-25-2008 05:41 AM

Hi Daniel

You are correct. The only way round this is if you could run the web service on 3 different ports so that you could setup 3 different static entries for it ie.

static (inside,outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 81 192.168.1.1 81 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 82 192.168.1.1 82 netmask 255.255.255.255 0 0

Then the users at the other end would connect as

http://213.213.213.213

http://213.213.213.213:81

http://213.213.213.213:82

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card