Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PAT To Different Internal IP Addresses.

Here is my situation and limitation.  I have two internal devices (web servers) that listen on port 8080, but I only have one Public IP address.  I have port 8080 forwarded to the first internal device and it's working fine.  I've tried to forward port 8081 to port 8080 on the second internal device and I can't get it to work.  I've tried to swap the port from 8081 to 8080 on the 2nd access-list, but still no success.   Any help would be appreciated.

Thanks.

See the short config below.  I can post the full config if needed, but it's over 400 lines.  BTW, I'm also using ZBF. 

#### Current Config for first internal device 'hvac 10.10.101.20'.  This part works fine.

!

ip port-map user-hvac port tcp 8080

!

class-map type inspect match-all cmap-hvac

match access-group 111

match protocol user-hvac

!

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect cmap-hvac

  inspect

class class-default

  drop log

!

ip nat inside source static tcp 10.10.101.20 8080 xxx.xxx.xxx.xxx 8080 extendable

!

access-list 111 permit tcp any host 10.10.101.20 eq 8080

!

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

______________________

#### Added Config for second internal device 'hvac1 10.10.101.21'. 

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

no service-policy type inspect sdm-pol-NATOutsideToInside-1

!

ip port-map user-hvac1 port tcp 8081

!

class-map type inspect match-all cmap-hvac1

match access-group 112

match protocol user-hvac1

!

no policy-map type inspect sdm-pol-NATOutsideToInside-1

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect cmap-hvac

  inspect

class type inspect cmap-hvac1

  inspect

class class-default

  drop log

!

ip nat inside source static tcp 10.10.101.21 8080 xxx.xxx.xxx.xxx 8081 extendable

!

access-list 112 permit tcp any host 10.10.101.21 eq 8081

!

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

Everyone's tags (4)
1 REPLY
New Member

PAT To Different Internal IP Addresses.

I got it.  I had to modify the second class-map to support both user defined protocols.

class-map type inspect match-all cmap-hvac1

match protocol user-hvac

match protocol user-hvac1

class-map type inspect match-all cmap-hvac1-acl

match access-group 112

match class-map cmap-hvac1

529
Views
0
Helpful
1
Replies
CreatePlease login to create content