How do I allow inbound connections to multiple servers using only a single global address?

TCC_2 · ‎06-22-2009

Core issue

Configure static Port Address Translation (PAT) on the PIX.

Resolution

Starting with PIX Software version 6.0, the PIX can be configured to translate ports destined to a single global IP address to multiple internal servers.

One place this would be useful is if you only have a single IP address available from your ISP, but your web server is on a different box than your mail server. You can use port redirection (static PAT) to accomplish this.

Example

Address available from ISP: 209.165.201.5
Mail Server IP Address: 10.10.10.5
Web Server IP Address: 10.10.10.6

PIX commands are shown below.

  static (inside,outside) tcp 209.165.201.5 25 10.10.10.5 25 netmask 255.255.255.255
  static (inside,outside) tcp 209.165.201.5 80 10.10.10.6 80 netmask 255.255.255.255
     !--- Now that the port redirection is defined, we need 
     !--- to allow inbound access via an access list.
  access-list inbound permit tcp any host 209.165.201.5 eq 25
  access-list inbound permit tcp any host 209.165.201.5 eq 80
  access-group inbound in interface outside
     !--- Finally, if those two servers also need to initiate 
     !--- connections outbound, then we need to do PAT on
     !--- them to the static address.
  nat (inside) 1 10.10.10.5 255.255.255.255
  nat (inside) 1 10.10.10.6 255.255.255.255
  global (outside) 1 209.165.201.5

For more information and configuration examples, see Port Redirection with Statics.