cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
284
Views
5
Helpful
2
Replies

Letting in a range of IPs

wgranada1
Level 1
Level 1

I have a user that will be coming from a range of ip 162.xx.xx.0 - 6 and 161.xx.xx.0 - 6 on a Pix 515E how do I funnel this to go to my server at 205.xx.xx.xx. I'm not sure how to handle the range that the user is coming from. As a last ditch effort I was going to do a mapping of one to one but if I can avoid doing this:

static (inside,outside) 162.xx.xx.xx.1 205.xx.xx.xx.xx netmask 255.255.255.255

I prefer not to but if that is what I have to do then I guess I will

1 Accepted Solution

Accepted Solutions

JORGE RODRIGUEZ
Level 10
Level 10

Warren,

I think I understand your question. You have a range of IPs on the 162 and 161 block, and you want to map these IPs to a single server host 205.xx.xx.xx on the inside, if this is correct you can do it through policy nat if you are runninf pix code version 7.x or above, but frankly this is a waste of public IPs to give to a single host inside your LAN, I would simply give it a one-to-one nat as you indicated in your post.

example of mapping several public IPs to a single inside host

static (inside,outside) 161.x.x.1 access-list policy_nat_http1

static (inside,outside) 161.x.x.2 access-list policy_nat_http2

static (inside,outside) 162.x.x.1 access-list policy_nat_rdp1

static (inside,outside) 162.x.x.2 access-list policy_nat_ftp1

static (inside,outside) 161.x.x.3 access-list policy_nat_ftp2

access-list policy_nat_http1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_http2 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_rdp1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_ftp1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_ftp2 extended permit ip host 205.xx.xx.xx any

access-list outside_access_in extended permit tcp any host 161.x.x.1 eq 80 log

access-list outside_access_in extended permit tcp any host 161.x.x.2 eq 80 log

access-list outside_access_in extended permit tcp any host 162.x.x.1 eq 3389 log

access-list outside_access_in extended permit tcp any host 162.x.x.2 eq 21 log

access-list outside_access_in extended permit tcp any host 161.x.x.3 eq 21 log

access-group outside_access_in in interface outside

why don't you simply do one to one nat and permision the required ports to be accessed on the server.

HTH

-Jorge

Jorge Rodriguez

View solution in original post

2 Replies 2

JORGE RODRIGUEZ
Level 10
Level 10

Warren,

I think I understand your question. You have a range of IPs on the 162 and 161 block, and you want to map these IPs to a single server host 205.xx.xx.xx on the inside, if this is correct you can do it through policy nat if you are runninf pix code version 7.x or above, but frankly this is a waste of public IPs to give to a single host inside your LAN, I would simply give it a one-to-one nat as you indicated in your post.

example of mapping several public IPs to a single inside host

static (inside,outside) 161.x.x.1 access-list policy_nat_http1

static (inside,outside) 161.x.x.2 access-list policy_nat_http2

static (inside,outside) 162.x.x.1 access-list policy_nat_rdp1

static (inside,outside) 162.x.x.2 access-list policy_nat_ftp1

static (inside,outside) 161.x.x.3 access-list policy_nat_ftp2

access-list policy_nat_http1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_http2 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_rdp1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_ftp1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_ftp2 extended permit ip host 205.xx.xx.xx any

access-list outside_access_in extended permit tcp any host 161.x.x.1 eq 80 log

access-list outside_access_in extended permit tcp any host 161.x.x.2 eq 80 log

access-list outside_access_in extended permit tcp any host 162.x.x.1 eq 3389 log

access-list outside_access_in extended permit tcp any host 162.x.x.2 eq 21 log

access-list outside_access_in extended permit tcp any host 161.x.x.3 eq 21 log

access-group outside_access_in in interface outside

why don't you simply do one to one nat and permision the required ports to be accessed on the server.

HTH

-Jorge

Jorge Rodriguez

That looks like more work I guess the best way is just doing it as a one to one nat

I'll just have 12 entries....thanks for the info!!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: