×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Why does NAT routing require two static IP addresses?

Unanswered Question
Mar 14th, 2006
User Badges:

Hi,


For our small office, we are replacing our Linksys router to Cisco PIX 506.


Under our old setup, we had one external static IP address with NAT enabled. Port forwarding was a simple setup. Requests on port 80 go to our web server, port 25 go to our SMTP server, etc.


In order to do a similar setup using Cisco PIX 506, I am told that I need two static IP addresses. One for the PIX device itself and the other for port-forwarding. This doesn't make sense. If el cheapo Linksys router could do it with one static IP address, why can't Cisco PIX device do it?


I would appreciate it if someone can enlighten me. I hope there is a way to set it up with just one external IP address.


Thank you in advance for your help.


Pradeep

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jackko Tue, 03/14/2006 - 23:06
User Badges:
  • Gold, 750 points or more

congra! you are on the right track. it would be crazy to say that 2 public static ips are required for the posted scenario. especially a linksys router can do this.


it is right that port forwarding needs to be configured.


e.g.

static (inside,outside) tcp interface 80 80 netmask 255.255.255.255

static (inside,outside) tcp interface 25 25 netmask 255.255.255.255

clear xlate

access-list 111 permit tcp any interface outside eq 80

access-list 111 permit tcp any interface outside eq 25

access-group 111 in interface outside

pradeepxyz Thu, 03/16/2006 - 17:56
User Badges:

Ok. I played with the settings. Haven't gotton it to work. Can someone please look at the following and tell me where I made a mistake?


Thank you,

Pradeep



: Saved

:

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

clock timezone PST -8

clock summer-time PDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

name 66.60.141.42 SLMain

name 192.168.15.22 SLWebServer

access-list outside_access_in permit icmp any any

access-list outside_access_in permit tcp any eq www any eq www

pager lines 24

logging on

logging trap debugging

mtu outside 1500

mtu inside 1500

ip address outside SLMain 255.255.255.0

ip address inside 192.168.15.1 255.255.255.0

pdm location SLMain 255.255.255.255 inside

pdm location SLMain 255.255.255.255 outside

pdm location 192.168.15.21 255.255.255.255 inside

pdm location SLWebServer 255.255.255.255 inside

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp SLWebServer www SLMain www netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 66.60.141.254 0

route inside SLMain 255.255.255.255 66.60.141.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

ntp server 64.191.214.1 source outside prefer

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

management-access inside

console timeout 0

dhcpd address 192.168.15.100-192.168.15.254 inside

dhcpd dns 192.168.15.3 208.45.228.3

dhcpd lease 259200

dhcpd ping_timeout 750

dhcpd enable inside

privilege show level 0 command version

privilege show level 0 command curpriv

privilege show level 3 command pdm

privilege show level 3 command pdm

privilege show level 3 command blocks

privilege show level 3 command ssh

privilege configure level 3 command who

privilege show level 3 command isakmp

privilege show level 3 command ipsec

privilege show level 3 command vpdn

privilege show level 3 command local-host

privilege show level 3 command interface

privilege show level 3 command ip

privilege configure level 3 command ping

privilege show level 3 command uauth

privilege configure level 5 mode enable command configure

privilege show level 5 command running-config

privilege show level 5 command privilege

privilege show level 5 command clock

privilege show level 5 command ntp

privilege show level 5 mode configure command logging

privilege show level 5 command fragment

terminal width 80

: end

[OK]


jackko Thu, 03/16/2006 - 19:03
User Badges:
  • Gold, 750 points or more

name 66.60.141.42 SLMain

name 192.168.15.22 SLWebServer

static (inside,outside) tcp SLWebServer www SLMain www netmask 255.255.255.255 0 0


according to the "name" commands, the static statement above should be:

static (inside,outside) tcp SLMain www SLWebServer www netmask 255.255.255.255



access-list outside_access_in permit icmp any any

access-list outside_access_in permit tcp any eq www any eq www

access-group outside_access_in in interface outside


the inbound acl should be:

access-list outside_access_in permit tcp any host SLMain eq www

Actions

This Discussion