05-12-2008 12:49 PM - edited 03-11-2019 05:43 AM
I have a user that will be coming from a range of ip 162.xx.xx.0 - 6 and 161.xx.xx.0 - 6 on a Pix 515E how do I funnel this to go to my server at 205.xx.xx.xx. I'm not sure how to handle the range that the user is coming from. As a last ditch effort I was going to do a mapping of one to one but if I can avoid doing this:
static (inside,outside) 162.xx.xx.xx.1 205.xx.xx.xx.xx netmask 255.255.255.255
I prefer not to but if that is what I have to do then I guess I will
Solved! Go to Solution.
05-12-2008 07:54 PM
Warren,
I think I understand your question. You have a range of IPs on the 162 and 161 block, and you want to map these IPs to a single server host 205.xx.xx.xx on the inside, if this is correct you can do it through policy nat if you are runninf pix code version 7.x or above, but frankly this is a waste of public IPs to give to a single host inside your LAN, I would simply give it a one-to-one nat as you indicated in your post.
example of mapping several public IPs to a single inside host
static (inside,outside) 161.x.x.1 access-list policy_nat_http1
static (inside,outside) 161.x.x.2 access-list policy_nat_http2
static (inside,outside) 162.x.x.1 access-list policy_nat_rdp1
static (inside,outside) 162.x.x.2 access-list policy_nat_ftp1
static (inside,outside) 161.x.x.3 access-list policy_nat_ftp2
access-list policy_nat_http1 extended permit ip host 205.xx.xx.xx any
access-list policy_nat_http2 extended permit ip host 205.xx.xx.xx any
access-list policy_nat_rdp1 extended permit ip host 205.xx.xx.xx any
access-list policy_nat_ftp1 extended permit ip host 205.xx.xx.xx any
access-list policy_nat_ftp2 extended permit ip host 205.xx.xx.xx any
access-list outside_access_in extended permit tcp any host 161.x.x.1 eq 80 log
access-list outside_access_in extended permit tcp any host 161.x.x.2 eq 80 log
access-list outside_access_in extended permit tcp any host 162.x.x.1 eq 3389 log
access-list outside_access_in extended permit tcp any host 162.x.x.2 eq 21 log
access-list outside_access_in extended permit tcp any host 161.x.x.3 eq 21 log
access-group outside_access_in in interface outside
why don't you simply do one to one nat and permision the required ports to be accessed on the server.
HTH
-Jorge
05-12-2008 07:54 PM
Warren,
I think I understand your question. You have a range of IPs on the 162 and 161 block, and you want to map these IPs to a single server host 205.xx.xx.xx on the inside, if this is correct you can do it through policy nat if you are runninf pix code version 7.x or above, but frankly this is a waste of public IPs to give to a single host inside your LAN, I would simply give it a one-to-one nat as you indicated in your post.
example of mapping several public IPs to a single inside host
static (inside,outside) 161.x.x.1 access-list policy_nat_http1
static (inside,outside) 161.x.x.2 access-list policy_nat_http2
static (inside,outside) 162.x.x.1 access-list policy_nat_rdp1
static (inside,outside) 162.x.x.2 access-list policy_nat_ftp1
static (inside,outside) 161.x.x.3 access-list policy_nat_ftp2
access-list policy_nat_http1 extended permit ip host 205.xx.xx.xx any
access-list policy_nat_http2 extended permit ip host 205.xx.xx.xx any
access-list policy_nat_rdp1 extended permit ip host 205.xx.xx.xx any
access-list policy_nat_ftp1 extended permit ip host 205.xx.xx.xx any
access-list policy_nat_ftp2 extended permit ip host 205.xx.xx.xx any
access-list outside_access_in extended permit tcp any host 161.x.x.1 eq 80 log
access-list outside_access_in extended permit tcp any host 161.x.x.2 eq 80 log
access-list outside_access_in extended permit tcp any host 162.x.x.1 eq 3389 log
access-list outside_access_in extended permit tcp any host 162.x.x.2 eq 21 log
access-list outside_access_in extended permit tcp any host 161.x.x.3 eq 21 log
access-group outside_access_in in interface outside
why don't you simply do one to one nat and permision the required ports to be accessed on the server.
HTH
-Jorge
05-13-2008 05:40 AM
That looks like more work I guess the best way is just doing it as a one to one nat
I'll just have 12 entries....thanks for the info!!!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: