Public IP's are used up, any way round this - port forwarding?

Unanswered Question
Oct 1st, 2008
User Badges:

Hi,


We haev used up all our public IP's due to NATing them to static private IP's, before we spend the time and money on getting more which will mean a completely new scope, can I do anything else? Like use one IP for 2 server but differnt ports as some server use http and other ftp etc.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abinjola Thu, 10/02/2008 - 00:03
User Badges:
  • Cisco Employee,

exactly..you may do static port forwarding for inbound traffic



static (inside,outside) tcp x.x.x.x 25 y.y.y.y 25


static (inside,outside) tcp x.x.x.x 80 y.y.y.y 80

.

.

.


x.x.x.x--->public IP/Pix Outside Interface IP


y.y.y.y-->Private IP address


Do rate if it helps !

whiteford Thu, 10/02/2008 - 01:02
User Badges:

Thanks,


Should I be doing your method anyway or is the static method I'm doing normal practise or a bit of both.


I ask as I like to keep to best practices.

abinjola Thu, 10/02/2008 - 01:27
User Badges:
  • Cisco Employee,

Well again it depends, if you have enough public IPs you may go with 1-1 static, but if you only have very limited IP then static port forwarding is a better choice


Moreover static port forwarding is unidirectional, that is only from outside to inside, for outbound you need normal nat(inside) and global (outside) for that host


Do rate if it helps !


whiteford Thu, 10/02/2008 - 06:34
User Badges:

I guess I will have to add an rule on the Outside interface to allow this to work as I need an external public IP access to a private IP inside on a particular port?

abinjola Thu, 10/02/2008 - 08:18
User Badges:
  • Cisco Employee,

yes correct..you need ACLs besides the static port forwarding translation rule

whiteford Thu, 10/02/2008 - 10:32
User Badges:

I must of done something wrong, I added the port forward (PAT) from the outside interface to the private IP of the server on tcp/80 just like your useful example.


I then add a rule on the outside interface to allow any ip to the private IP on port 80, but I got get access from the Internet.


Have I missed something, do you have another example?


Many thanks!

abinjola Thu, 10/02/2008 - 10:38
User Badges:
  • Cisco Employee,

Use the command line and add the following


static (inside,outside) tcp interface 80 80


and in the outside access-list add


access-l permit tcp any host y.y.y.y eq 80


y.y.y.y-->outside interface IP



whiteford Thu, 10/02/2008 - 10:47
User Badges:

This is were I went wrong I think:


access-l permit tcp any host y.y.y.y eq 80


So because I have "bound" port 80 to my server the permit rule above knows how to get to the private IP?


Does this mean I can't use port 80 on another webserver?


Thanks

abinjola Sat, 10/04/2008 - 10:21
User Badges:
  • Cisco Employee,

correct..if you are translating inbound traffic on outside interface for port 80 to a specific server, you cannot use overlap or duplicate statics to use port 80 again

Actions

This Discussion