09-08-2008 12:53 PM - edited 03-11-2019 06:41 AM
I need to set up a static NAT for a surveillance camera on our network, so that it can be viewed as a demo to some people.
camera ip: 10.8.xx.xxx 255.255.255.0
public ip: 64.207.xx.xxx
I have just started dealing with a PIX so any help would be appreciated.
09-08-2008 12:56 PM
You want to create a static nat; or if you can restrict operation to known ports, the use those ports; but a static nat would be
static (inside,outside) 64.207.8.8 10.10.1.10
then an acl to permit the inbound ports
access-list outside_allowed_in permit tcp any host 64.207.8.8 eq 8100
access-group outside_allowed_in in interface outside
as a rule you only have to apply the acl to the inbound outside interface for the tcp session to be permitted.
Let us know more about your survelliance camera and perhaps we can come up with some better rules.
thanks,
Joe
09-08-2008 12:57 PM
Ashley
Assuming the camera is on the inside of the pix
static (inside,outside) 64.207.xx.xxx 10.8.xx.xxx netmask 255.255.255.255
You will also need to make sure you allow the external access with an access-list on your outside interface. Are you okay with this ?
Jon
09-08-2008 01:15 PM
Yes the camera is on the inside of the PIX. Ok, I am fine with setting up the NAT for the camera that doesn't seem to be too hard. For the acl would the below do? Also, do I need to add the new public IP to outside interface, basically do I need to have multiple ips assigned to that one outside interface to make it work.
access-list outside_allowed_in permit tcp any host 64.207.xx.xxx eq 80
access-group outside_allowed_in in interface outside
09-08-2008 01:22 PM
No you don't need to assign the IP address to the outside interface assuming it is a different IP address than the one assigned to the outside interface. But the IP address you use must be
a) a public IP address routable on the Internet
b) the address must be routed to the outside interface of your pix - this ISP should be doing this for you.
access-list looks fine. Just be aware there is an implict deny at the end of any access-if list so if you need to allow any other connections from outside you need to allow them as well. Note this does not apply to return traffic from connections initiated from the inside ie. user internet surfing etc. This traffic will be allowed anyway.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: