05-02-2009 06:42 PM - edited 03-11-2019 08:26 AM
Hi All, I have only one static IP at my home and I'm curious if I have several home servers is there a way to translate several internal global address to one global outside address using PAT. My ultimate goal would be to access these servers outside of my network from work or whereever.
I'm little familiar with using NAT/PAT in the other direction for my internal host just thought maybe there is a way to do that in reverse.
Thanks,
Mike
05-02-2009 07:30 PM
Hi. If you are using PIX or ASA, you can configure the LAN source with the nat (inside) command to allow selected machines, vlans, or subnets, or all to go through PAT using the global (outside) command. If you wish to access it from the WAN, you would have to use static PAT instead and enable your servers to listen on the port you would decide on.
ex.
static (inside, outside) tcp 158.65.411.12 4011 10.1.1.15 4011 netmask 255.255.255.255
;where 158.65.411.12 is the public ip and 10.1.1.15 is the private IP. Subsequently, you would need to enable static IP addressing on your machines who would be included in the static declarations.
Hope this helps.
05-02-2009 08:13 PM
Hi Marcus, So in order to access the internal machine from outside I would enter in my web browser:
Also what is an acceptable port number to use? You used 4011 and once I assigned that port number how would I exclude it or would I even need to worry of excluding the port number I used from my internal host using that port.
Thanks,
Mike
05-02-2009 11:08 PM
If you are using just a web server, you can simply specify the public IP and private IP with port 80 into the static nat statement in the PIX. So simply typing the public ip in the browser would route you eventually to the PIX and the PIX would check the nat rule and forward it to your internal web server.
If you wish to use a different port no., i believe 7000 above is feasible but you may check further just to be sure. But port 80 incoming would not conflict with your current setup if you just have one web server.
Cheers.
05-02-2009 11:21 PM
By the way, almost forgot, you need to configure an access list on the PIX to allow connections into your web server.
ex.
access-list webserver permit tcp any host 172.54.21.456 eq www
And you need to apply this to the outside interface.
ex.
access-group webserver in int outside
05-03-2009 09:05 AM
static (inside,outside) tcp 158.65.411.12 4011 10.1.1.15 4011 netmask 255.255.255.255
access-list webserver permit tcp any host 172.54.21.456 eq www
this is definitely NOT recommended. If your home network is DHCP and the ISP provider
changes IP often, you may consider this:
static (inside,outside) tcp interface 4011 10.1.1.15 4011 netmask 255.255.255.255
access-list webserver permit tcp any interface eq www log ---> not sure about this
This way, if the provider changes IP on you, no reconfiguration is required
05-03-2009 01:17 PM
Hi, so just to make sure that I'm clear this is what the following set up would look like if I had three web servers.
static (inside, outside) tcp 158.65.411.12 80 10.1.1.15 80 netmask 255.255.255.255
static (inside, outside) tcp 158.65.411.12 7000 10.1.1.16 7000 netmask 255.255.255.255
static (inside, outside) tcp 158.65.411.12 7001 10.1.1.17 7001 netmask 255.255.255.255
access-list webserver permit tcp any host 172.54.21.456 eq www
access-list webserver permit tcp any host 172.54.21.456 eq 7000
access-list webserver permit tcp any host 172.54.21.456 eq 7001
access-group webserver in int outside
thanks,
Mike
05-03-2009 01:58 PM
Hi Mike,
A little edit on your configuration.
Since, you have single public IP and multiple inside web-Servers, the inside web Servers run on port 80. The mapping is between single PublicIP:Port to Multiple PrivateIP:www ports
158.65.411.12:80->10.1.1.15:80
158.65.411.12:7000->10.1.1.16:80
158.65.411.12:7001->10.1.1.17:80
The public users will try accessing your webserver on public IP, thus the access-list should include the public IP (PAT IP) not inside private IP.
static (inside, outside) tcp 158.65.411.12 80 10.1.1.15 80 netmask 255.255.255.255
static (inside, outside) tcp 158.65.411.12 7000 10.1.1.16 80 netmask 255.255.255.255
static (inside, outside) tcp 158.65.411.12 7001 10.1.1.17 80 netmask 255.255.255.255
access-list webserver permit tcp any host 158.65.411.12 eq www
access-list webserver permit tcp any host 158.65.411.12 eq 7000
access-list webserver permit tcp any host 158.65.411.12 eq 7001
access-group webserver in int outside
H2H
Roshan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide