10-01-2008 11:51 PM - edited 03-11-2019 06:52 AM
Hi,
We haev used up all our public IP's due to NATing them to static private IP's, before we spend the time and money on getting more which will mean a completely new scope, can I do anything else? Like use one IP for 2 server but differnt ports as some server use http and other ftp etc.
Thanks
10-02-2008 12:03 AM
exactly..you may do static port forwarding for inbound traffic
static (inside,outside) tcp x.x.x.x 25 y.y.y.y 25
static (inside,outside) tcp x.x.x.x 80 y.y.y.y 80
.
.
.
x.x.x.x--->public IP/Pix Outside Interface IP
y.y.y.y-->Private IP address
Do rate if it helps !
10-02-2008 01:02 AM
Thanks,
Should I be doing your method anyway or is the static method I'm doing normal practise or a bit of both.
I ask as I like to keep to best practices.
10-02-2008 01:27 AM
Well again it depends, if you have enough public IPs you may go with 1-1 static, but if you only have very limited IP then static port forwarding is a better choice
Moreover static port forwarding is unidirectional, that is only from outside to inside, for outbound you need normal nat(inside) and global (outside) for that host
Do rate if it helps !
10-02-2008 06:34 AM
I guess I will have to add an rule on the Outside interface to allow this to work as I need an external public IP access to a private IP inside on a particular port?
10-02-2008 08:18 AM
yes correct..you need ACLs besides the static port forwarding translation rule
10-02-2008 10:32 AM
I must of done something wrong, I added the port forward (PAT) from the outside interface to the private IP of the server on tcp/80 just like your useful example.
I then add a rule on the outside interface to allow any ip to the private IP on port 80, but I got get access from the Internet.
Have I missed something, do you have another example?
Many thanks!
10-02-2008 10:38 AM
Use the command line and add the following
static (inside,outside) tcp interface 80
and in the outside access-list add
access-l
y.y.y.y-->outside interface IP
10-02-2008 10:47 AM
This is were I went wrong I think:
access-l
So because I have "bound" port 80 to my server the permit rule above knows how to get to the private IP?
Does this mean I can't use port 80 on another webserver?
Thanks
10-04-2008 10:21 AM
correct..if you are translating inbound traffic on outside interface for port 80 to a specific server, you cannot use overlap or duplicate statics to use port 80 again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide