03-31-2008 06:39 AM - edited 03-11-2019 05:24 AM
I have a Cisco 515e running 7.0(1) and would like to allow a single public IP to translate traffic to different internal hosts on my network by what port they are trying to access on the outside. So for instance if someone entered X.X.X.X:85, the pix could replace the port with 80 and goto a web server A. And on that same public ip X.X.X.X:99 and point to another host and change the port to 80 so that web server could be reached. I am sure this is possible, any help greatly appreciated.
03-31-2008 07:15 AM
static (inside,outside) tcp interface 85 web.server.ip www netmask 255.255.255.255
static (inside,outside) tcp interface 99 web.server2.ip www netmask 255.255.255.255
04-04-2008 11:03 AM
One problem with the config of my NATs on my PIX is that the inside interface is not NATed. Rather just the subnet of my internal network. When I add a NAT rule of the above I get: "This static port mapping rule is overlapping with a dynamic address translation rule for X.X.X.X/255.255.252.0 using global pool 1. Do you wish to proceed?" I suppose i could proceed without issue? In the end I would like to replace the subnet NAT using the inside interface, so that I don't receive this message every time i set up a static NAT. But i do not want to compromise deleting my security policies. Is it possible to insert the inside interface NAT and then remove the subnet NAT without deleting my Security Policies and causing too much disruption?
06-23-2008 09:39 PM
why i can't access the 192.168.10.7 web server from internet with you advice. following is my configuration:
PIX Version 7.2(1)
!
hostname wanshitong
domain-name wanshitong.com
enable password vda4u.Aio7ssMh5X encrypted
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 218.xx.xx.26 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
passwd vda4u.Aio7ssMh5X encrypted
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
domain-name wanshitong.com
same-security-traffic permit intra-interface
access-list 100 extended permit tcp any interface outside eq www
access-list 100 extended permit ip any any
access-list 101 extended permit ip any any
pager lines 24
logging enable
logging asdm errors
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm521.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0
nat (inside) 1 192.168.20.0 255.255.255.0
nat (inside) 1 192.168.30.0 255.255.255.0
nat (inside) 1 192.168.100.0 255.255.255.0
static (inside,outside) tcp interface www 192.168.10.7 www netmask 255.255.255.255
access-group 100 in interface outside
access-group 101 in interface inside
route outside 0.0.0.0 0.0.0.0 218.xx.xx.254 1
route inside 192.168.10.0 255.255.255.0 192.168.100.2 1
route inside 192.168.20.0 255.255.255.0 192.168.100.2 1
route inside 192.168.30.0 255.255.255.0 192.168.100.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
username cisco password 3USUcOPFUiMCO4Jk encrypted
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.10.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
http 192.168.30.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
telnet 58.63.6.0 255.255.255.0 outside
telnet 192.168.100.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.20.0 255.255.255.0 inside
telnet 192.168.30.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect http
inspect ftp
inspect dns
inspect icmp
inspect icmp error
inspect tftp
inspect esmtp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect sqlnet
inspect sunrpc
inspect xdmcp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
tftp-server inside 192.168.100.100 pix721
prompt hostname context
Cryptochecksum:xxx
: end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: