Natting 2 Globel IPs to one Local IP

Unanswered Question
Apr 9th, 2008

Hi everybody,

I have a web server inside the firewall and I need to publish two IP addresses to access this web server, but I need to have one IP address internally.

I can this using Extendable NATs in Cisco Routers, but I couldnt find a way to do it PIX 515E (Ver 6.2). I saw some one mentioned about policy based Natting in ASA, is it possible in PIX?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (4 ratings)
Loading.
husycisco Thu, 04/10/2008 - 03:23

Hi Manjula,

Yes policy NAT is possible, but you dont need it really. All you have to do is adding another static command.

static (inside,outside) publicip1 webserverip netmask 255.255.255.255

static (inside,outside) publicip2 webserverip netmask 255.255.255.255

access-list outside_access_in permit tcp any host publicip1 eq www

access-list outside_access_in permit tcp any host publicip2 eq www

access_group outside_access_in in interface outside

Your 6.2 IOS is working with conduits instead access-list as far as I remember, you better upgrade your IOS to 6.3(5) or 7.2

Regards

manjula.dealwis Thu, 04/10/2008 - 15:39

Thanks for the reply Husy, But when I try to entry the second ststic mapping, that it throws an error saying "static overlaps with Publicip1 to Privateip.

In ASA they have done by using "extended" in access-list and mapping two ips. hxxp://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a...

I cant use extended in access-list as it doesnt support that command.

Manjula

pengfang Thu, 04/10/2008 - 19:28

Hi,

1. From v7.x, ACL was more similar with IOS, just remove "extended" when you convert it from 7.x to 6.x.

2. "OverLapping" warning should be fine if the PIX take the command but reject it.

JORGE RODRIGUEZ Thu, 04/10/2008 - 20:20

Manjula, you can accomplish this easily with policy NAT.

For example, say you have:

Local IP: 10.10.10.1

Public IP 1: 30.30.30.1

Public IP 2: 30.30.30.2

Services RDP TCP 3389

static (inside,outside) 30.30.30.1 access-list policy_nat_rdp1

static (inside,outside) 30.30.30.2 access-list policy_nat_rdp2

access-list policy_nat_rdp1 extended permit ip host 10.10.10.1 any

access-list policy_nat_rdp2 extended permit ip host 10.10.10.1 any

access-list outside_access_in extended permit tcp any host 30.30.30.1 eq 3389

access-list outside_access_in extended permit tcp any host 30.30.30.2 eq 3389

access-group outside_access_in in interface outside

you can omit the extended word, I am almost positive code 6.x supports policy nat, if I have time I will take a look at code 6.x releases notes.

HTH

Rgds

Jorge

manjula.dealwis Thu, 04/10/2008 - 21:49

Thanx PengFang and Jorge,

PengFang -

When I checked its looks like PIX doesnt take the command, in "sh run" only shows one entry.So the second entry has not taken.

Jorge -

I could use

access-list policy_nat_rdp1 permit ip host 10.10.10.1 any

access-list policy_nat_rdp2 permit ip host 10.10.10.1 any

But with out "extended" portion. It accepted`both lines.

But "static (inside,outside) 30.30.30.1 access-list policy_nat_rdp1" was the problem. It doesnt take "policy_nat_rdp1". The syntax only allow IP addresses it seems it says "ERROR: Invalid global IP address access-list".

I really appriciate your Help on this. Thanks again.

NB - I use Cisco PIX Firewall Version 6.2(1)

Actions

This Discussion