Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Port Redirection with limited Public IP

Hi need expert help, can Cisco pix 515 translate a single public ip to multiple internal IP? I need to redirect let us say smtp traffic to one private ip and http traffic to another private ip listening from the same public ip. Can this be done? Is there any configuration examples I could follow? Thanks

5 REPLIES
Cisco Employee

Re: Port Redirection with limited Public IP

Sure can. Assuming you have that single public IP configured on the PIX's outside interface, do the following:

static (inside,outside) tcp interface 25 10.1.1.1 25 netmask 255.255.255.255

static (inside,outside) tcp interface 80 10.1.1.2 80 netmask 255.255.255.255

access-list inbound permit tcp any interface outside eq 25

access-list inbound permit tcp any interface outside eq 80

access-group inbound in interface outside

Any traffic coming in on TCP/25 for the outside IP address of the PIX will be forwarded internally to 10.1.1.1 on port 25. Any traffic for port 80 will be forwarded to 10.1.1.2.

Community Member

Re: Port Redirection with limited Public IP

Thanks exactly what I need.

Community Member

Re: Port Redirection with limited Public IP

hope you can help me ,i config my pix 515e following yours,but i still cann't access the 192.168.10.7 web server.following is my configuration:

PIX Version 7.2(1)

!

hostname wanshitong

domain-name wanshitong.com

enable password vda4u.Aio7ssMh5X encrypted

names

dns-guard

!

interface Ethernet0

nameif outside

security-level 0

ip address 218.xx.xx.26 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

passwd vda4u.Aio7ssMh5X encrypted

boot system flash:/image.bin

ftp mode passive

dns server-group DefaultDNS

domain-name wanshitong.com

same-security-traffic permit intra-interface

access-list 100 extended permit tcp any interface outside eq www

access-list 100 extended permit ip any any

access-list 101 extended permit ip any any

pager lines 24

logging enable

logging asdm errors

mtu outside 1500

mtu inside 1500

no failover

monitor-interface outside

monitor-interface inside

asdm image flash:/asdm521.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

nat (inside) 1 192.168.20.0 255.255.255.0

nat (inside) 1 192.168.30.0 255.255.255.0

nat (inside) 1 192.168.100.0 255.255.255.0

static (inside,outside) tcp interface www 192.168.10.7 www netmask 255.255.255.255

access-group 100 in interface outside

access-group 101 in interface inside

route outside 0.0.0.0 0.0.0.0 218.xx.xx.254 1

route inside 192.168.10.0 255.255.255.0 192.168.100.2 1

route inside 192.168.20.0 255.255.255.0 192.168.100.2 1

route inside 192.168.30.0 255.255.255.0 192.168.100.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

username cisco password 3USUcOPFUiMCO4Jk encrypted

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.10.0 255.255.255.0 inside

http 192.168.20.0 255.255.255.0 inside

http 192.168.30.0 255.255.255.0 inside

http 192.168.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

telnet 58.63.6.0 255.255.255.0 outside

telnet 192.168.100.0 255.255.255.0 inside

telnet 192.168.10.0 255.255.255.0 inside

telnet 192.168.20.0 255.255.255.0 inside

telnet 192.168.30.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

ssh version 1

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect http

inspect ftp

inspect dns

inspect icmp

inspect icmp error

inspect tftp

inspect esmtp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect sip

inspect sqlnet

inspect sunrpc

inspect xdmcp

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

!

service-policy global_policy global

tftp-server inside 192.168.100.100 pix721

prompt hostname context

Cryptochecksum:xxx

: end

thanks

Community Member

Re: Port Redirection with limited Public IP

just telnet to "interface ip" 80 from outside

and check the acl hits and logs.

Regards,

Community Member

Re: Port Redirection with limited Public IP

hi,how to check the acl hits and logs?

thanks!

175
Views
5
Helpful
5
Replies
CreatePlease to create content