Letting in a range of IPs

Answered Question
May 12th, 2008

I have a user that will be coming from a range of ip 162.xx.xx.0 - 6 and 161.xx.xx.0 - 6 on a Pix 515E how do I funnel this to go to my server at 205.xx.xx.xx. I'm not sure how to handle the range that the user is coming from. As a last ditch effort I was going to do a mapping of one to one but if I can avoid doing this:

static (inside,outside) 162.xx.xx.xx.1 205.xx.xx.xx.xx netmask 255.255.255.255

I prefer not to but if that is what I have to do then I guess I will

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 8 years 7 months ago

Warren,

I think I understand your question. You have a range of IPs on the 162 and 161 block, and you want to map these IPs to a single server host 205.xx.xx.xx on the inside, if this is correct you can do it through policy nat if you are runninf pix code version 7.x or above, but frankly this is a waste of public IPs to give to a single host inside your LAN, I would simply give it a one-to-one nat as you indicated in your post.

example of mapping several public IPs to a single inside host

static (inside,outside) 161.x.x.1 access-list policy_nat_http1

static (inside,outside) 161.x.x.2 access-list policy_nat_http2

static (inside,outside) 162.x.x.1 access-list policy_nat_rdp1

static (inside,outside) 162.x.x.2 access-list policy_nat_ftp1

static (inside,outside) 161.x.x.3 access-list policy_nat_ftp2

access-list policy_nat_http1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_http2 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_rdp1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_ftp1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_ftp2 extended permit ip host 205.xx.xx.xx any

access-list outside_access_in extended permit tcp any host 161.x.x.1 eq 80 log

access-list outside_access_in extended permit tcp any host 161.x.x.2 eq 80 log

access-list outside_access_in extended permit tcp any host 162.x.x.1 eq 3389 log

access-list outside_access_in extended permit tcp any host 162.x.x.2 eq 21 log

access-list outside_access_in extended permit tcp any host 161.x.x.3 eq 21 log

access-group outside_access_in in interface outside

why don't you simply do one to one nat and permision the required ports to be accessed on the server.

HTH

-Jorge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
JORGE RODRIGUEZ Mon, 05/12/2008 - 19:54

Warren,

I think I understand your question. You have a range of IPs on the 162 and 161 block, and you want to map these IPs to a single server host 205.xx.xx.xx on the inside, if this is correct you can do it through policy nat if you are runninf pix code version 7.x or above, but frankly this is a waste of public IPs to give to a single host inside your LAN, I would simply give it a one-to-one nat as you indicated in your post.

example of mapping several public IPs to a single inside host

static (inside,outside) 161.x.x.1 access-list policy_nat_http1

static (inside,outside) 161.x.x.2 access-list policy_nat_http2

static (inside,outside) 162.x.x.1 access-list policy_nat_rdp1

static (inside,outside) 162.x.x.2 access-list policy_nat_ftp1

static (inside,outside) 161.x.x.3 access-list policy_nat_ftp2

access-list policy_nat_http1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_http2 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_rdp1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_ftp1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_ftp2 extended permit ip host 205.xx.xx.xx any

access-list outside_access_in extended permit tcp any host 161.x.x.1 eq 80 log

access-list outside_access_in extended permit tcp any host 161.x.x.2 eq 80 log

access-list outside_access_in extended permit tcp any host 162.x.x.1 eq 3389 log

access-list outside_access_in extended permit tcp any host 162.x.x.2 eq 21 log

access-list outside_access_in extended permit tcp any host 161.x.x.3 eq 21 log

access-group outside_access_in in interface outside

why don't you simply do one to one nat and permision the required ports to be accessed on the server.

HTH

-Jorge

wgranada1 Tue, 05/13/2008 - 05:40

That looks like more work I guess the best way is just doing it as a one to one nat

I'll just have 12 entries....thanks for the info!!!!

Actions

This Discussion