• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 269
  • Last Modified:

PAT with two external addresses pix 506e 6.1

Hi all,

 I have an internal address range of 192.168.1.0 and am running PAT.

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface

I have two external addresses one that is assinged to the pix. The other isn't being used.  Here is what I would like to do.

1) I want all outbound traffic(expect below) to keep patting with the outside interfaces address. (web surfing)
2) Save the second ip address to use to port forward to internal services like Citrix, RDP, SQL ect.  

I don't want my port forwarded services fighting for ports with my users surfing the web.

Please help.



0
shard26
Asked:
shard26
  • 3
  • 2
2 Solutions
 
rsivanandanCommented:
For the second ip;

static (inside, outside) tcp <second ip> <Port1> <insidemachineip1> <Port1> netmask 255.255.255.255

You can add similar statements by changing the 'insidemachineip' and 'Port'.

Then add access-list to allow this particular connection;

access-list <Name> permit ip any <Secondip> eq Port1

access-group <Name> in interface outside.

Cheers,
Rajesh
0
 
nodiscoCommented:
Small correction to above -
access-list <Name> permit ip any <Secondip> eq Port1
should be:
access-list <Name> permit tcp any <Secondip> eq Port1

Replacing "ip" with the protocol that you are port forwarding - in this example, tcp.
I'm sure Rajesh agrees ;-)
0
 
rsivanandanCommented:
Having quite a time nodisco :-) Yes, the acl should've been the way you've posted.

Cheers,
Rajesh
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
shard26Author Commented:
tried so many things I can't be for sure but I thought I tried that?

Wont the global and NAT get in the way since they want to pat everything going outside?

The two workstation that I want to do port forwarding are on the same IP scheme as the rest of the workstations.

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface
0
 
rsivanandanCommented:
It will not shard26. All the outgoing connections will use port (source port) greater than 1024, so none of the defined service get objected by that. On the other hand you will be doing port forward for known services which use destination ports below 1024 (like 80 for web, 25 for smtp etc). So you can go ahead and use them.

Cheers,
Rajesh
0
 
shard26Author Commented:
Thanks all that did it
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now