Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
305
Views
10
Helpful
6
Replies

PIX outside-to-inside NAT to a range of internal addresses

daniel.kline
Level 1
Level 1

‎09-11-2003 07:30 AM - edited ‎02-20-2020 10:59 PM

I want to be able to translate connections from external hosts to a range of internal addresses. For instance, I want PCAnywhere users who connect to a public address through the Internet to see all the PCAnywhere hosts on my internal network.

In this case I am using a PIX 515E. I have typically done static, one-to-one translations from outside to inside. All the documentation I've seen for both the "static" command and port redirection use a netmask in the command. The netmask is always 255.255.255.255. Can this mask be something else, say, 255.255.255.0 to allow translation to a range of hosts?

Regards,

Dan

0 Helpful
6 Replies 6

jmia
Level 7
Level 7

‎09-11-2003 07:57 AM

Hello Dan,

Yes, what you are asking for can be achived, for instance - as a example - if you wanted a static translation for all machines on 192.168.2.0/24, you could specify the following for your configuration:

> 200.200.200.0 192.168.2.0 netmask 255.255.255.0

This causes the PIX to perform a one-to-one static translation automatically. For example, the global address of 200.200.200.1 would match to the local (internal) address 192.168.2.1, the address 200.200.200.2 would match to 192.168.2.2, and so on..

A NOTE to keep in mind:

The PIX requires address translation to pass packets between interfaces. Even if you have public addresses assigned to your internal devices, you still need to configure a static translation. Also, the PIX always processes address translations using your static commands first, before using a translation created by a nat/global configuration.

Hope this helps - Thanks, Jay

daniel.kline
Level 1
Level 1
In response to jmia

‎09-11-2003 01:39 PM

Thanks, Jay. That's interesting. But can I translate a single public address to a range of internal, private addresses? To use your example, can I say 200.200.200.1 192.168.2.0 255.255.255.0?

If I use 200.200.200.0, I would effectively exhaust an entire block of public addresses. Unless I subnet my block of public address (i.e. 200.200.200.8 192.168.2.8 255.255.255.248).

Have you seen any good URLs on the subject?

Regards,

Dan

0 Helpful

l.mourits
Level 5
Level 5
In response to daniel.kline

‎09-11-2003 01:59 PM

Hello Dan,

What you want to achieve can be done, but not with something like putting another subnetmask in this config or something like that.

As I understand the case is is that you have one public IP-address and you want to connect to several servers on your inside (which uses private space adresses). Allright, this is possible, and not so difficult to configure.

But what you have to do is create a static command for every host on the inside that maps a tcp port number to the public adres.

This would look something like this:

static (inside, outside) tcp 200.200.200.1 8821 192.168.2.1 5631 netmask 255.255.255.255

static (inside, outside) tcp 200.200.200.1 8822 192.168.2.2 5631 netmask 255.255.255.255

static (inside, outside) tcp 200.200.200.1 8823 192.168.2.3 5631 netmask 255.255.255.255

(and so on)

What it does is called port-redirection, and it with this example you could connect to server1 with 200.200.200.1 port 8821 and to server2 with 200.200.200.1 port 8822

Here´s a good link to Cisco document on this:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic9

Hope this helps.

Leo

0 Helpful

daniel.kline
Level 1
Level 1
In response to l.mourits

‎09-11-2003 05:45 PM

Thanks, Leo. I am familiar with port redirection. In your example above, I would set the PCAnywhere client to use a specific port. For instance, one client would use port 8821, one would use 8822, etc, and then redirect that connection to a specific internal host. I was actually trying to acheive functionality similar to how PCAnywhere works on a LAN. That is, when you open your PCAnywhere client, it lists the hosts available on the LAN. I'm guessing I would need to implement a vpn for my remote clients. I'm not sure if my client will want to go that route.

Regards,

Dan

0 Helpful

mostiguy
Level 6
Level 6
In response to daniel.kline

‎09-12-2003 11:34 AM

Static is always a one to one relationship, be it port or ip. You cannot static one outside ip to multiple internal ips.

How pcanywhere works is most likely netbios name registrations with the local browse master on the subnet - the same way Network Neighborhood works. Also, if you have ever used terminal services, the browse list there is also the result of a query of the local browse master for a certain record type. Pcanywhere is just presenting a list of computers to which it has access - it is not somehow providing access to many of them through the same ip address.

daniel.kline
Level 1
Level 1
In response to mostiguy

‎09-12-2003 01:35 PM

Yes, I think I have the client convinced to use Terminal Services and/or remote vpn instead of PCAnywhere.

I have never actually researched what facilities PCAnywhere uses in a LAN environment. That might be an interesting exercise one day when I have my Sniffer and some spare time.

Regards,

Dan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card