04-09-2008 09:39 PM - edited 03-11-2019 05:29 AM
Hi everybody,
I have a web server inside the firewall and I need to publish two IP addresses to access this web server, but I need to have one IP address internally.
I can this using Extendable NATs in Cisco Routers, but I couldnt find a way to do it PIX 515E (Ver 6.2). I saw some one mentioned about policy based Natting in ASA, is it possible in PIX?
04-10-2008 03:23 AM
Hi Manjula,
Yes policy NAT is possible, but you dont need it really. All you have to do is adding another static command.
static (inside,outside) publicip1 webserverip netmask 255.255.255.255
static (inside,outside) publicip2 webserverip netmask 255.255.255.255
access-list outside_access_in permit tcp any host publicip1 eq www
access-list outside_access_in permit tcp any host publicip2 eq www
access_group outside_access_in in interface outside
Your 6.2 IOS is working with conduits instead access-list as far as I remember, you better upgrade your IOS to 6.3(5) or 7.2
Regards
04-10-2008 03:39 PM
Thanks for the reply Husy, But when I try to entry the second ststic mapping, that it throws an error saying "static overlaps with Publicip1 to Privateip.
In ASA they have done by using "extended" in access-list and mapping two ips. hxxp://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml
I cant use extended in access-list as it doesnt support that command.
Manjula
04-10-2008 07:28 PM
Hi,
1. From v7.x, ACL was more similar with IOS, just remove "extended" when you convert it from 7.x to 6.x.
2. "OverLapping" warning should be fine if the PIX take the command but reject it.
04-10-2008 08:20 PM
Manjula, you can accomplish this easily with policy NAT.
For example, say you have:
Local IP: 10.10.10.1
Public IP 1: 30.30.30.1
Public IP 2: 30.30.30.2
Services RDP TCP 3389
static (inside,outside) 30.30.30.1 access-list policy_nat_rdp1
static (inside,outside) 30.30.30.2 access-list policy_nat_rdp2
access-list policy_nat_rdp1 extended permit ip host 10.10.10.1 any
access-list policy_nat_rdp2 extended permit ip host 10.10.10.1 any
access-list outside_access_in extended permit tcp any host 30.30.30.1 eq 3389
access-list outside_access_in extended permit tcp any host 30.30.30.2 eq 3389
access-group outside_access_in in interface outside
you can omit the extended word, I am almost positive code 6.x supports policy nat, if I have time I will take a look at code 6.x releases notes.
HTH
Rgds
Jorge
04-10-2008 09:49 PM
Thanx PengFang and Jorge,
PengFang -
When I checked its looks like PIX doesnt take the command, in "sh run" only shows one entry.So the second entry has not taken.
Jorge -
I could use
access-list policy_nat_rdp1 permit ip host 10.10.10.1 any
access-list policy_nat_rdp2 permit ip host 10.10.10.1 any
But with out "extended" portion. It accepted`both lines.
But "static (inside,outside) 30.30.30.1 access-list policy_nat_rdp1" was the problem. It doesnt take "policy_nat_rdp1". The syntax only allow IP addresses it seems it says "ERROR: Invalid global IP address access-list".
I really appriciate your Help on this. Thanks again.
NB - I use Cisco PIX Firewall Version 6.2(1)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide