Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Global Address Pool/Pat Question

Can I set up a global address pool (5 static ip's) and do port redirection off of any/all of them. I know how to do it off the outside interface port using the static command, will it work the same way specifying an ip from the global pool? Or do I have to use NAT.

Scenario:

I have 5 static ip's.

I would like to be able to map port 80 to server A and port 3306 to server B.

Using another ip I am forwarding ports for a game server to server c, and forwarding port 80 for a php block to the web server for game server c which is located on server d.

4 REPLIES
Silver

Re: Global Address Pool/Pat Question

To my knowledge, you cannot use global and nat to perform port redirection. If the servers you want to redirect to are behind the pix, that is they are on higher security interfaces than the isp/partner network connection is, you need to use statics.

Yes, you should be able to do port redirection for statics specifying addresses other than the interface address. The pix 6.3 code can allow you to do redirection for protocol/port instead of just ip address; thus you can redirect a.b.c.d port 80 to inside server H and redirect a.b.c.d port 3306 (same ip but different port) to server V.

Also, you can use statics with acl's for port redirection, look at the cisco pix doc for more details.

Global and nat are only for outbound connections to a lower interface (for code lower than 6.3). Pix 6.3 does allow for global on higher interfaces, but that is for destination nating, not for port redirection. Use the statics along with acls for port redirection.

Let me know if this helps.

New Member

Re: Global Address Pool/Pat Question

Ok. I'm gonna draw up the plans for what the pix needs to handle tonight. I'll post it tomorrow and see if I'm on the right track. i'm sure I'll come up with more questions by then as well.

Thanks.

New Member

Re: Global Address Pool/Pat Question

Ok. I set up the pix with the 2 ip's I am currently using, and forwarded all the business end stuff. Everything works great I just have a couple questions.

when creating an access-list on the outside interface I cannot specify an inside host.

ex. access-list 01 outside permit tcp any 192.168.1.100 255.255.255.255 eq pptp

this will not work (even thought the pix accepts it). I want to make sure that using the any any commands that I am not opening ports that can allow access to servers not specified with the static command.

Lets say I want one of the servers on the inside interface to not have any translation performed. I want the ip of the server to be one of my global ip's. I'm using a pix501. Is this possible? would I use the nat 0 command to set this up? The other servers do not need access to it, but I would like it to be under the protection of the firewall, and do not want to perform nat or pat.

Thanks. You guys have been a great help.

Silver

Re: Global Address Pool/Pat Question

If you do not want translation, you cannot do port redirection as port redirection is a type of PAT; even if the ip addr does not change the port does.

If you do not want to translate because you cannot get port redirection to work, it is because you are trying to use an internal address on the acl. You need to use the global address, but I want you to try this:

code access-list pmap_01 permit tcp host 192.168.1.100 eq true-port-id any

then define your static like so:

static (in, out) interface http access-list pmap_01

This ought to redirect requests to port 80 on your pix's interface public address to inside host 192.168.1.100

Note how you code the acl - it is coded as if the inside host was initiating the connection, even though it is not happening. I do not know if the port-id needs to come after the any keyword - experiment to see what works. Also, turn buffer logging to info or debug level on the pix as you set this up to get some clues as to the problem.

I used http as an example, replace the ports with the dest port as seen by.

Also, after you change statics, don't forget to use the clear xlate command for the changes to take effect.

See below if you really want to use public addresses on the inside host, but I feel that that it is too cumbersome to setup.

Is the pix outside interface in the same subnet as the 5 static ip addr's that were allocated to you?

Let's assume that this is the case, and that you are allocated 172.1.2.8/29 subnet. The pix is .10, the isp gateway is .9 and so you have .11 thru .14 to use (.15 is the broadcast and I do not know if you can assign this to a internal host as the pix can recognize the lan broadcast and takes action differently when it is a source or dest in a packet).

First, you need to insure that the pix is configured to use proxyarp on the isp facing interface. Next you need host route statements that point to your inside host as the route to the address. You will need to multinet on each of your inside servers that will be addressable - one private address that uses the pix as the defaut gateway, and the one public address. Then you code static statements like so:

static (in,out) 172.1.2.11 172.1.2.11 netmask 255.255.255.255

238
Views
0
Helpful
4
Replies