PIX 515E configuration

Discussion in 'Cisco' started by John Strow, Jan 10, 2004.

  1. John Strow

    John Strow Guest

    Hi,

    I have PIX 515E and i would like some host's web inside to be accesses from
    outside translating port above 8000 (8080, 8081 etc) from outside to port 80
    inside. I understand that this can be done only if i am using only one IP
    address as a global address (PAT). I have lot of employees that use Cisco
    VPN client to dial in to external sites(customer) and for that reason i have
    to use range of IP addresses for NAT (I don't want to use static for every
    VPN user -PAT case). Is there any way that i can do port translation and at
    same time use range of IP addresses for NAT-ing



    I tried this but doesn't work

    :
    PIX Version 6.3(3)
    ........

    names
    name 10.10.10.5 link
    name 10.10.10.6 sl
    name 10.10.10.108 test
    access-list world permit tcp any host 220.220.220.47 eq 9091
    access-list world permit tcp any host 220.220.220.47 eq 9092
    access-list world permit tcp any host 220.220.220.47 eq 9093

    ip address outside 220.220.220.61 255.255.255.192
    ip address inside 10.10.10.250 255.255.255.0
    global (outside) 1 220.220.220.1-220.220.220.45 netmask 255.255.255.192
    global (outside) 1 220.220.220.46 netmask 255.255.255.192
    nat (inside) 1 10.10.10.0 255.255.255.0 0 0
    static (inside,outside) tcp 220.220.220.47 9091 link www netmask
    255.255.255.255
    static (inside,outside) tcp 220.220.220.47 9092 sl www netmask
    255.255.255.255
    static (inside,outside) tcp 220.220.220.47 9093 test www netmask
    255.255.255.255
    access-group world in interface outside

    Thanks,
    John Strow, Jan 10, 2004
    #1
    1. Advertising

  2. In article <bto1b9$94a7c$-berlin.de>,
    John Strow <> wrote:
    |I have PIX 515E and i would like some host's web inside to be accesses from
    |outside translating port above 8000 (8080, 8081 etc) from outside to port 80
    |inside. I understand that this can be done only if i am using only one IP
    |address as a global address (PAT).

    No, it can be done any time.

    :I have lot of employees that use Cisco
    :VPN client to dial in to external sites(customer) and for that reason i have
    :to use range of IP addresses for NAT (I don't want to use static for every
    :VPN user -PAT case). Is there any way that i can do port translation and at
    :same time use range of IP addresses for NAT-ing

    I don't think I caught that?


    |I tried this but doesn't work

    |PIX Version 6.3(3)

    |names
    |name 10.10.10.5 link
    |name 10.10.10.6 sl
    |name 10.10.10.108 test
    |access-list world permit tcp any host 220.220.220.47 eq 9091
    |access-list world permit tcp any host 220.220.220.47 eq 9092
    |access-list world permit tcp any host 220.220.220.47 eq 9093

    |ip address outside 220.220.220.61 255.255.255.192
    |ip address inside 10.10.10.250 255.255.255.0
    |global (outside) 1 220.220.220.1-220.220.220.45 netmask 255.255.255.192
    |global (outside) 1 220.220.220.46 netmask 255.255.255.192
    |nat (inside) 1 10.10.10.0 255.255.255.0 0 0
    |static (inside,outside) tcp 220.220.220.47 9091 link www netmask 255.255.255.255
    |static (inside,outside) tcp 220.220.220.47 9092 sl www netmask 255.255.255.255
    |static (inside,outside) tcp 220.220.220.47 9093 test www netmask 255.255.255.255
    |access-group world in interface outside

    That looks okay to me. Did you clear xlate after defining these?

    I have gone through the documentation again, and confirmed that you do NOT
    need to be using a global PAT to forward different ports.
    --
    millihamlet: the average coherency of prose created by a single monkey
    typing randomly on a keyboard. Usenet postings may be rated in mHl.
    -- Walter Roberson
    Walter Roberson, Jan 10, 2004
    #2
    1. Advertising

  3. John Strow

    Jason Kau Guest

    Walter Roberson <-cnrc.gc.ca> wrote:
    > |ip address outside 220.220.220.61 255.255.255.192
    > |ip address inside 10.10.10.250 255.255.255.0
    > |global (outside) 1 220.220.220.1-220.220.220.45 netmask 255.255.255.192
    > |global (outside) 1 220.220.220.46 netmask 255.255.255.192
    > |nat (inside) 1 10.10.10.0 255.255.255.0 0 0
    > |static (inside,outside) tcp 220.220.220.47 9091 link www netmask 255.255.255.255
    > |static (inside,outside) tcp 220.220.220.47 9092 sl www netmask 255.255.255.255
    > |static (inside,outside) tcp 220.220.220.47 9093 test www netmask 255.255.255.255
    > |access-group world in interface outside
    >
    > That looks okay to me. Did you clear xlate after defining these?
    >
    > I have gone through the documentation again, and confirmed that you do NOT
    > need to be using a global PAT to forward different ports.


    I thought the PIX couldn't do many-to-one port redirection?

    --
    Jason Kau
    http://www.cnd.gatech.edu/~jkau
    Jason Kau, Jan 10, 2004
    #3
  4. John Strow

    Jason Kau Guest

    Jason Kau <> wrote:
    > Walter Roberson <-cnrc.gc.ca> wrote:
    >> |ip address outside 220.220.220.61 255.255.255.192
    >> |ip address inside 10.10.10.250 255.255.255.0
    >> |global (outside) 1 220.220.220.1-220.220.220.45 netmask 255.255.255.192
    >> |global (outside) 1 220.220.220.46 netmask 255.255.255.192
    >> |nat (inside) 1 10.10.10.0 255.255.255.0 0 0
    >> |static (inside,outside) tcp 220.220.220.47 9091 link www netmask 255.255.255.255
    >> |static (inside,outside) tcp 220.220.220.47 9092 sl www netmask 255.255.255.255
    >> |static (inside,outside) tcp 220.220.220.47 9093 test www netmask 255.255.255.255
    >> |access-group world in interface outside
    >>
    >> That looks okay to me. Did you clear xlate after defining these?
    >>
    >> I have gone through the documentation again, and confirmed that you do NOT
    >> need to be using a global PAT to forward different ports.

    >
    > I thought the PIX couldn't do many-to-one port redirection?


    Oops, that's not what he's trying to do. :)

    --
    Jason Kau
    http://www.cnd.gatech.edu/~jkau
    Jason Kau, Jan 10, 2004
    #4
  5. John Strow

    John Strow Guest

    Walter,

    I did clear xlate and reload PIX but didn' work. In xlate table I see that
    my test workstation already mapped its IP address to one of the global NAT
    IP addresses (220.220.220.4) and i am not sure how it can remapp to
    220.220.220.47

    The VPN client requires its own, non-shared, NAT mapping will not work with
    PAT. If you have global PAT only you have to do static mapping to every VPN
    client

    John


    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bto2a3$m8c$...
    > In article <bto1b9$94a7c$-berlin.de>,
    > John Strow <> wrote:
    > |I have PIX 515E and i would like some host's web inside to be accesses

    from
    > |outside translating port above 8000 (8080, 8081 etc) from outside to port

    80
    > |inside. I understand that this can be done only if i am using only one IP
    > |address as a global address (PAT).
    >
    > No, it can be done any time.
    >
    > :I have lot of employees that use Cisco
    > :VPN client to dial in to external sites(customer) and for that reason i

    have
    > :to use range of IP addresses for NAT (I don't want to use static for

    every
    > :VPN user -PAT case). Is there any way that i can do port translation and

    at
    > :same time use range of IP addresses for NAT-ing
    >
    > I don't think I caught that?
    >
    >
    > |I tried this but doesn't work
    >
    > |PIX Version 6.3(3)
    >
    > |names
    > |name 10.10.10.5 link
    > |name 10.10.10.6 sl
    > |name 10.10.10.108 test
    > |access-list world permit tcp any host 220.220.220.47 eq 9091
    > |access-list world permit tcp any host 220.220.220.47 eq 9092
    > |access-list world permit tcp any host 220.220.220.47 eq 9093
    >
    > |ip address outside 220.220.220.61 255.255.255.192
    > |ip address inside 10.10.10.250 255.255.255.0
    > |global (outside) 1 220.220.220.1-220.220.220.45 netmask 255.255.255.192
    > |global (outside) 1 220.220.220.46 netmask 255.255.255.192
    > |nat (inside) 1 10.10.10.0 255.255.255.0 0 0
    > |static (inside,outside) tcp 220.220.220.47 9091 link www netmask

    255.255.255.255
    > |static (inside,outside) tcp 220.220.220.47 9092 sl www netmask

    255.255.255.255
    > |static (inside,outside) tcp 220.220.220.47 9093 test www netmask

    255.255.255.255
    > |access-group world in interface outside
    >
    > That looks okay to me. Did you clear xlate after defining these?
    >
    > I have gone through the documentation again, and confirmed that you do NOT
    > need to be using a global PAT to forward different ports.
    > --
    > millihamlet: the average coherency of prose created by a single monkey
    > typing randomly on a keyboard. Usenet postings may be rated in mHl.
    > -- Walter Roberson
    John Strow, Jan 10, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul Stewart

    PIX Configuration Problem - 515E

    Paul Stewart, Jul 7, 2003, in forum: Cisco
    Replies:
    2
    Views:
    6,671
    Michael Hatzis
    Jul 9, 2003
  2. Edwin
    Replies:
    1
    Views:
    1,014
    Walter Roberson
    May 4, 2004
  3. Roberto Diaz

    Save Configuration Cisco pix 515e

    Roberto Diaz, Jul 28, 2004, in forum: Cisco
    Replies:
    3
    Views:
    12,796
    Ivan Ostres
    Jul 30, 2004
  4. jsandlin0803

    PIX 515E Configuration Help...

    jsandlin0803, Dec 10, 2005, in forum: Cisco
    Replies:
    14
    Views:
    5,920
    jsandlin0803
    Dec 12, 2005
  5. flamer

    Cisco PIX 515E Configuration

    flamer , Jan 9, 2010, in forum: Cisco
    Replies:
    2
    Views:
    1,179
    flamer
    Feb 14, 2010
Loading...

Share This Page