Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Letting in a range of IPs

I have a user that will be coming from a range of ip 162.xx.xx.0 - 6 and 161.xx.xx.0 - 6 on a Pix 515E how do I funnel this to go to my server at 205.xx.xx.xx. I'm not sure how to handle the range that the user is coming from. As a last ditch effort I was going to do a mapping of one to one but if I can avoid doing this:

static (inside,outside) 162.xx.xx.xx.1 205.xx.xx.xx.xx netmask 255.255.255.255

I prefer not to but if that is what I have to do then I guess I will

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Letting in a range of IPs

Warren,

I think I understand your question. You have a range of IPs on the 162 and 161 block, and you want to map these IPs to a single server host 205.xx.xx.xx on the inside, if this is correct you can do it through policy nat if you are runninf pix code version 7.x or above, but frankly this is a waste of public IPs to give to a single host inside your LAN, I would simply give it a one-to-one nat as you indicated in your post.

example of mapping several public IPs to a single inside host

static (inside,outside) 161.x.x.1 access-list policy_nat_http1

static (inside,outside) 161.x.x.2 access-list policy_nat_http2

static (inside,outside) 162.x.x.1 access-list policy_nat_rdp1

static (inside,outside) 162.x.x.2 access-list policy_nat_ftp1

static (inside,outside) 161.x.x.3 access-list policy_nat_ftp2

access-list policy_nat_http1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_http2 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_rdp1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_ftp1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_ftp2 extended permit ip host 205.xx.xx.xx any

access-list outside_access_in extended permit tcp any host 161.x.x.1 eq 80 log

access-list outside_access_in extended permit tcp any host 161.x.x.2 eq 80 log

access-list outside_access_in extended permit tcp any host 162.x.x.1 eq 3389 log

access-list outside_access_in extended permit tcp any host 162.x.x.2 eq 21 log

access-list outside_access_in extended permit tcp any host 161.x.x.3 eq 21 log

access-group outside_access_in in interface outside

why don't you simply do one to one nat and permision the required ports to be accessed on the server.

HTH

-Jorge

2 REPLIES

Re: Letting in a range of IPs

Warren,

I think I understand your question. You have a range of IPs on the 162 and 161 block, and you want to map these IPs to a single server host 205.xx.xx.xx on the inside, if this is correct you can do it through policy nat if you are runninf pix code version 7.x or above, but frankly this is a waste of public IPs to give to a single host inside your LAN, I would simply give it a one-to-one nat as you indicated in your post.

example of mapping several public IPs to a single inside host

static (inside,outside) 161.x.x.1 access-list policy_nat_http1

static (inside,outside) 161.x.x.2 access-list policy_nat_http2

static (inside,outside) 162.x.x.1 access-list policy_nat_rdp1

static (inside,outside) 162.x.x.2 access-list policy_nat_ftp1

static (inside,outside) 161.x.x.3 access-list policy_nat_ftp2

access-list policy_nat_http1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_http2 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_rdp1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_ftp1 extended permit ip host 205.xx.xx.xx any

access-list policy_nat_ftp2 extended permit ip host 205.xx.xx.xx any

access-list outside_access_in extended permit tcp any host 161.x.x.1 eq 80 log

access-list outside_access_in extended permit tcp any host 161.x.x.2 eq 80 log

access-list outside_access_in extended permit tcp any host 162.x.x.1 eq 3389 log

access-list outside_access_in extended permit tcp any host 162.x.x.2 eq 21 log

access-list outside_access_in extended permit tcp any host 161.x.x.3 eq 21 log

access-group outside_access_in in interface outside

why don't you simply do one to one nat and permision the required ports to be accessed on the server.

HTH

-Jorge

Community Member

Re: Letting in a range of IPs

That looks like more work I guess the best way is just doing it as a one to one nat

I'll just have 12 entries....thanks for the info!!!!

124
Views
5
Helpful
2
Replies
CreatePlease to create content