Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco PIX 515 - PAT configuration

I would like to use 1 external IP address to connect to 2 internal machines. I'd differentiate the connections based on specifying ports.

I'm trying to configure PAT to an address as the following needs:

1:

ip address outside 192.168.30.2 515 <-->

ip address inside 192.168.1.22 515

2:

ip address outside 192.168.30.2 SSH <-->

ip address inside 192.168.1.23 SSH

It seems as if this is possible. However, it's not working for me. I need the assistance of experts.

My PIX configuration as follows:-

sh run

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname Firewall

domain-name http://www.ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outin permit tcp any host 192.168.30.2 eq ssh

access-list outin permit tcp any host 192.168.30.2 eq lpd

access-list outin permit ip any host 192.168.30.3

access-list outin permit ip any host 192.168.30.4

access-list outin permit ip any host 192.168.30.10

access-list outin permit icmp any any

access-list inout permit ip 192.168.1.0 255.255.255.0 any

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 192.168.30.14 255.255.255.0

ip address inside 192.168.1.21 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14600

static (inside,outside) tcp 192.168.30.2 ssh 192.168.1.23 ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.30.2 lpd 192.168.1.22 lpd netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.30.3 8044 192.168.1.23 8044 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.30.10 192.168.1.25 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.30.4 192.168.1.24 netmask 255.255.255.255 0 0

access-group outin in interface outside

access-group inout in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.30.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

: end

Firewall#

Please help me how i can access internal ssh and lpd on two different machines with a single outside address.

Thanks in Advance.

2 REPLIES
Gold

Re: Cisco PIX 515 - PAT configuration

can't see any error.

do "clear xlate" or "clear xlate global 192.168.30.2" to flush the existing translation on the pix may resolve the issue.

further, do "sh xlate" to verify whether the static statements are effective or not.

Cisco Employee

Re: Cisco PIX 515 - PAT configuration

static and ACLs are properly configured. PLease issue a clear xlate (if you can, be careful with this command) and try it again.

Check if the packets are even making it to the firewall on those ports. You can run a debug packet or capture traffic.

debug packet outside src XX dst 192.168.30.2 proto tcp dport 22

If you the packets getting to the firewall, remove the debug and place it on the inside interface, this time use the inside IP address of the machine.

If they don't pass through, please log messages and check for the error.

Hope it helps

Franco Zamora

855
Views
0
Helpful
2
Replies