Can I use one global outside IP address for several Internal hosts?

Unanswered Question
May 2nd, 2009

Hi All, I have only one static IP at my home and I'm curious if I have several home servers is there a way to translate several internal global address to one global outside address using PAT. My ultimate goal would be to access these servers outside of my network from work or whereever.

I'm little familiar with using NAT/PAT in the other direction for my internal host just thought maybe there is a way to do that in reverse.

Thanks,

Mike

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcusbrutus Sat, 05/02/2009 - 19:30

Hi. If you are using PIX or ASA, you can configure the LAN source with the nat (inside) command to allow selected machines, vlans, or subnets, or all to go through PAT using the global (outside) command. If you wish to access it from the WAN, you would have to use static PAT instead and enable your servers to listen on the port you would decide on.

ex.

static (inside, outside) tcp 158.65.411.12 4011 10.1.1.15 4011 netmask 255.255.255.255

;where 158.65.411.12 is the public ip and 10.1.1.15 is the private IP. Subsequently, you would need to enable static IP addressing on your machines who would be included in the static declarations.

Hope this helps.

carbonscoring Sat, 05/02/2009 - 20:13

Hi Marcus, So in order to access the internal machine from outside I would enter in my web browser:

http://158.65.411.12:4011

Also what is an acceptable port number to use? You used 4011 and once I assigned that port number how would I exclude it or would I even need to worry of excluding the port number I used from my internal host using that port.

Thanks,

Mike

marcusbrutus Sat, 05/02/2009 - 23:08

If you are using just a web server, you can simply specify the public IP and private IP with port 80 into the static nat statement in the PIX. So simply typing the public ip in the browser would route you eventually to the PIX and the PIX would check the nat rule and forward it to your internal web server.

If you wish to use a different port no., i believe 7000 above is feasible but you may check further just to be sure. But port 80 incoming would not conflict with your current setup if you just have one web server.

Cheers.

marcusbrutus Sat, 05/02/2009 - 23:21

By the way, almost forgot, you need to configure an access list on the PIX to allow connections into your web server.

ex.

access-list webserver permit tcp any host 172.54.21.456 eq www

And you need to apply this to the outside interface.

ex.

access-group webserver in int outside

cisco24x7 Sun, 05/03/2009 - 09:05

static (inside,outside) tcp 158.65.411.12 4011 10.1.1.15 4011 netmask 255.255.255.255

access-list webserver permit tcp any host 172.54.21.456 eq www

this is definitely NOT recommended. If your home network is DHCP and the ISP provider

changes IP often, you may consider this:

static (inside,outside) tcp interface 4011 10.1.1.15 4011 netmask 255.255.255.255

access-list webserver permit tcp any interface eq www log ---> not sure about this

This way, if the provider changes IP on you, no reconfiguration is required

carbonscoring Sun, 05/03/2009 - 13:17

Hi, so just to make sure that I'm clear this is what the following set up would look like if I had three web servers.

static (inside, outside) tcp 158.65.411.12 80 10.1.1.15 80 netmask 255.255.255.255

static (inside, outside) tcp 158.65.411.12 7000 10.1.1.16 7000 netmask 255.255.255.255

static (inside, outside) tcp 158.65.411.12 7001 10.1.1.17 7001 netmask 255.255.255.255

access-list webserver permit tcp any host 172.54.21.456 eq www

access-list webserver permit tcp any host 172.54.21.456 eq 7000

access-list webserver permit tcp any host 172.54.21.456 eq 7001

access-group webserver in int outside

thanks,

Mike

roshan.maskey Sun, 05/03/2009 - 13:58

Hi Mike,

A little edit on your configuration.

Since, you have single public IP and multiple inside web-Servers, the inside web Servers run on port 80. The mapping is between single PublicIP:Port to Multiple PrivateIP:www ports

158.65.411.12:80->10.1.1.15:80

158.65.411.12:7000->10.1.1.16:80

158.65.411.12:7001->10.1.1.17:80

The public users will try accessing your webserver on public IP, thus the access-list should include the public IP (PAT IP) not inside private IP.

static (inside, outside) tcp 158.65.411.12 80 10.1.1.15 80 netmask 255.255.255.255

static (inside, outside) tcp 158.65.411.12 7000 10.1.1.16 80 netmask 255.255.255.255

static (inside, outside) tcp 158.65.411.12 7001 10.1.1.17 80 netmask 255.255.255.255

access-list webserver permit tcp any host 158.65.411.12 eq www

access-list webserver permit tcp any host 158.65.411.12 eq 7000

access-list webserver permit tcp any host 158.65.411.12 eq 7001

access-group webserver in int outside

H2H

Roshan

Actions

This Discussion