NAT 1 Public IP to Multiple Internal IPs and replace Port#

Unanswered Question

I have a Cisco 515e running 7.0(1) and would like to allow a single public IP to translate traffic to different internal hosts on my network by what port they are trying to access on the outside. So for instance if someone entered X.X.X.X:85, the pix could replace the port with 80 and goto a web server A. And on that same public ip X.X.X.X:99 and point to another host and change the port to 80 so that web server could be reached. I am sure this is possible, any help greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Mon, 03/31/2008 - 07:15
User Badges:
  • Green, 3000 points or more

static (inside,outside) tcp interface 85 web.server.ip www netmask 255.255.255.255

static (inside,outside) tcp interface 99 web.server2.ip www netmask 255.255.255.255

One problem with the config of my NATs on my PIX is that the inside interface is not NATed. Rather just the subnet of my internal network. When I add a NAT rule of the above I get: "This static port mapping rule is overlapping with a dynamic address translation rule for X.X.X.X/255.255.252.0 using global pool 1. Do you wish to proceed?" I suppose i could proceed without issue? In the end I would like to replace the subnet NAT using the inside interface, so that I don't receive this message every time i set up a static NAT. But i do not want to compromise deleting my security policies. Is it possible to insert the inside interface NAT and then remove the subnet NAT without deleting my Security Policies and causing too much disruption?

jordielau Mon, 06/23/2008 - 21:39
User Badges:

why i can't access the 192.168.10.7 web server from internet with you advice. following is my configuration:

PIX Version 7.2(1)

!

hostname wanshitong

domain-name wanshitong.com

enable password vda4u.Aio7ssMh5X encrypted

names

dns-guard

!

interface Ethernet0

nameif outside

security-level 0

ip address 218.xx.xx.26 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

passwd vda4u.Aio7ssMh5X encrypted

boot system flash:/image.bin

ftp mode passive

dns server-group DefaultDNS

domain-name wanshitong.com

same-security-traffic permit intra-interface

access-list 100 extended permit tcp any interface outside eq www

access-list 100 extended permit ip any any

access-list 101 extended permit ip any any

pager lines 24

logging enable

logging asdm errors

mtu outside 1500

mtu inside 1500

no failover

monitor-interface outside

monitor-interface inside

asdm image flash:/asdm521.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

nat (inside) 1 192.168.20.0 255.255.255.0

nat (inside) 1 192.168.30.0 255.255.255.0

nat (inside) 1 192.168.100.0 255.255.255.0

static (inside,outside) tcp interface www 192.168.10.7 www netmask 255.255.255.255

access-group 100 in interface outside

access-group 101 in interface inside

route outside 0.0.0.0 0.0.0.0 218.xx.xx.254 1

route inside 192.168.10.0 255.255.255.0 192.168.100.2 1

route inside 192.168.20.0 255.255.255.0 192.168.100.2 1

route inside 192.168.30.0 255.255.255.0 192.168.100.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

username cisco password 3USUcOPFUiMCO4Jk encrypted

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.10.0 255.255.255.0 inside

http 192.168.20.0 255.255.255.0 inside

http 192.168.30.0 255.255.255.0 inside

http 192.168.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

telnet 58.63.6.0 255.255.255.0 outside

telnet 192.168.100.0 255.255.255.0 inside

telnet 192.168.10.0 255.255.255.0 inside

telnet 192.168.20.0 255.255.255.0 inside

telnet 192.168.30.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

ssh version 1

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect http

inspect ftp

inspect dns

inspect icmp

inspect icmp error

inspect tftp

inspect esmtp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect sip

inspect sqlnet

inspect sunrpc

inspect xdmcp

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

!

service-policy global_policy global

tftp-server inside 192.168.100.100 pix721

prompt hostname context

Cryptochecksum:xxx

: end


Actions

This Discussion