Static NAT

Unanswered Question
Sep 8th, 2008

I need to set up a static NAT for a surveillance camera on our network, so that it can be viewed as a demo to some people.

camera ip: 10.8.xx.xxx 255.255.255.0

public ip: 64.207.xx.xxx

I have just started dealing with a PIX so any help would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

You want to create a static nat; or if you can restrict operation to known ports, the use those ports; but a static nat would be

static (inside,outside) 64.207.8.8 10.10.1.10

then an acl to permit the inbound ports

access-list outside_allowed_in permit tcp any host 64.207.8.8 eq 8100

access-group outside_allowed_in in interface outside

as a rule you only have to apply the acl to the inbound outside interface for the tcp session to be permitted.

Let us know more about your survelliance camera and perhaps we can come up with some better rules.

thanks,

Joe

Jon Marshall Mon, 09/08/2008 - 12:57

Ashley

Assuming the camera is on the inside of the pix

static (inside,outside) 64.207.xx.xxx 10.8.xx.xxx netmask 255.255.255.255

You will also need to make sure you allow the external access with an access-list on your outside interface. Are you okay with this ?

Jon

asmith252 Mon, 09/08/2008 - 13:15

Yes the camera is on the inside of the PIX. Ok, I am fine with setting up the NAT for the camera that doesn't seem to be too hard. For the acl would the below do? Also, do I need to add the new public IP to outside interface, basically do I need to have multiple ips assigned to that one outside interface to make it work.

access-list outside_allowed_in permit tcp any host 64.207.xx.xxx eq 80

access-group outside_allowed_in in interface outside

Jon Marshall Mon, 09/08/2008 - 13:22

No you don't need to assign the IP address to the outside interface assuming it is a different IP address than the one assigned to the outside interface. But the IP address you use must be

a) a public IP address routable on the Internet

b) the address must be routed to the outside interface of your pix - this ISP should be doing this for you.

access-list looks fine. Just be aware there is an implict deny at the end of any access-if list so if you need to allow any other connections from outside you need to allow them as well. Note this does not apply to return traffic from connections initiated from the inside ie. user internet surfing etc. This traffic will be allowed anyway.

Jon

Actions

This Discussion