|
Home > Archive > CCIE > April 2003 > PIX 501 NAT Question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
PIX 501 NAT Question
|
|
| btroadman 2003-04-16, 5:57 pm |
| On a PIX 501, is it possible to have only 1 external IP address from an ISP (using PAT), to provide access to a server from Outside===>Inside, and not impede internet access to any other workstations.
The problem I have is as soon as I make a translation rule for certain services (ie, http, ftp, etc) the only machine that can reach the internet is that single server that I made the translation rule toward. | |
| rcarroll 2003-04-16, 8:25 pm |
| YES - it has been done!
You can use one IP address for outside interface, PAT [global (inside) 1 interface], and static mappings to ports on different servers... How you ask? look up "port redirection" at cisco support under pix topics...
rick. | |
| btroadman 2003-04-16, 8:35 pm |
| I have read a few articles from cisco, and my config is similar to what they show, but as soon as I make a static rule, it kills the rest of my internet. | |
| btroadman 2003-04-16, 9:34 pm |
| I upgraded to the latest version and started from scratch. Seems to be working now, which makes me mad because now I wont know what I did wrong. I had 6.1 on there before and Port Redirection is supposed to work with 6.0, I guess I will never know. Thanks for the help. That kind of stupid little stuff they never ask on the tests. | |
| darthfeces 2003-04-16, 9:35 pm |
| use this as a template
the static is for port forwarding
i'm not sure of the availible keywords
but all the standards should be valid.
www,smtp,pop3,dns,ssh
maybe an eq 22 will work for ssh.
you then have to complement it with a conduit or access list permitting the traffic.
assmunch# sh static
static (inside,outside) tcp interface telnet 192.168.1.10 telnet netmask 255.255
.255.255 0 0
assmunch#
assmunch# sh conduit
conduit permit tcp any eq telnet host x.x.x.x
assmunch# | |
| darthfeces 2003-04-16, 9:36 pm |
| whoops didn't read though ...... | |
| btroadman 2003-04-16, 10:13 pm |
| This should clarify if anyone else needs the info...
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 68.56.1.1 www 192.168.1.3 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 68.56.1.1 ftp 192.168.1.2 ftp netmask 255.255.255.255 0 0
access-group 101 in interface outside | |
|
|
|
|
|