Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Help configuring Reverse NAT

Greetings,

I have a PIX 515E with software ver 6.3(5). I have a consultant that I'm trying to allow access to a specific machine on our internal network. I'm trying to setup reverse NAT to allow him access into our network, but I don't want him to be able to access other nodes on our network (and actually, he'll only need access to the specific address and a specific port number). From looking at the documentation, it looks like I'll need to add the following lines:

nat (outside) 1 200.200.200.10 255.255.255.0 outside (which would be his IP address)

global (inside) 1 10.20.102.105-10.20.102.106 (which would assign him an address on our network)

I think this is correct, but how would I restrict him to a single IP? Access-list?

3 REPLIES
Silver

Re: Help configuring Reverse NAT

All traffic flowing from a lower security interface to a higher security interface is alwasy denied unless an ACL allows the traffic.

Your best bet in this setup would be to use Port Address translation and an ACL to allow the traffic. Much easier.

eq.

Maps your internal host to an external IP for the telnet port:(209.165.201.15 an external ip on the pix. it can be changed to the interface command to use the actual interface ip)

static (inside,outside) tcp 209.165.201.15 telnet 10.1.1.4 telnet netmask 255.255.255.255

0 0

Allow the traffic:

access-list out->in permit tcp host 200.200.200.10 host 209.165.201.15 eq telnet

access-group out->in in interface outside

This link should help.

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278e.html#wp1116687

Thanks,

Chad

Please rate if this helps.

New Member

Re: Help configuring Reverse NAT

The problem is that they may be able to get around it if they have access to the Terminal Server/VNC type solution on the machine.

Silver

Re: Help configuring Reverse NAT

Only if he was giving TS/VNC access to that internal machine. At that point the remote user would have access to everything that internal machine did. If he is only giving access to http, ftp, or ssh then the remote host will only be able to access that.

127
Views
0
Helpful
3
Replies
CreatePlease to create content