Public IP's are used up, any way round this - port forwarding?

Unanswered Question
Oct 1st, 2008


We haev used up all our public IP's due to NATing them to static private IP's, before we spend the time and money on getting more which will mean a completely new scope, can I do anything else? Like use one IP for 2 server but differnt ports as some server use http and other ftp etc.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
abinjola Thu, 10/02/2008 - 00:03 may do static port forwarding for inbound traffic

static (inside,outside) tcp x.x.x.x 25 y.y.y.y 25

static (inside,outside) tcp x.x.x.x 80 y.y.y.y 80




x.x.x.x--->public IP/Pix Outside Interface IP

y.y.y.y-->Private IP address

Do rate if it helps !

whiteford Thu, 10/02/2008 - 01:02


Should I be doing your method anyway or is the static method I'm doing normal practise or a bit of both.

I ask as I like to keep to best practices.

abinjola Thu, 10/02/2008 - 01:27

Well again it depends, if you have enough public IPs you may go with 1-1 static, but if you only have very limited IP then static port forwarding is a better choice

Moreover static port forwarding is unidirectional, that is only from outside to inside, for outbound you need normal nat(inside) and global (outside) for that host

Do rate if it helps !

whiteford Thu, 10/02/2008 - 06:34

I guess I will have to add an rule on the Outside interface to allow this to work as I need an external public IP access to a private IP inside on a particular port?

abinjola Thu, 10/02/2008 - 08:18

yes need ACLs besides the static port forwarding translation rule

whiteford Thu, 10/02/2008 - 10:32

I must of done something wrong, I added the port forward (PAT) from the outside interface to the private IP of the server on tcp/80 just like your useful example.

I then add a rule on the outside interface to allow any ip to the private IP on port 80, but I got get access from the Internet.

Have I missed something, do you have another example?

Many thanks!

abinjola Thu, 10/02/2008 - 10:38

Use the command line and add the following

static (inside,outside) tcp interface 80 80

and in the outside access-list add

access-l permit tcp any host y.y.y.y eq 80

y.y.y.y-->outside interface IP

whiteford Thu, 10/02/2008 - 10:47

This is were I went wrong I think:

access-l permit tcp any host y.y.y.y eq 80

So because I have "bound" port 80 to my server the permit rule above knows how to get to the private IP?

Does this mean I can't use port 80 on another webserver?


abinjola Sat, 10/04/2008 - 10:21

correct..if you are translating inbound traffic on outside interface for port 80 to a specific server, you cannot use overlap or duplicate statics to use port 80 again


This Discussion