• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 613
  • Last Modified:

Public to Private IP mapping.

Hi There,
I want to map few public ip addresses to private IP addresses. do i need to specify them in the range of outside ip address. or static will be able to map them directly without including them in outside address?
I am bit confused on this?
All Help will be appreciated.
Cheers,
Prashant.
0
Prashant0906
Asked:
Prashant0906
  • 6
  • 4
1 Solution
 
Alan Huseyin KayahanCommented:
       No, you dont have to specify them in the range of outside interface. Following will do the static mapping
         static (inside,outside) publiciphere privateiphere netmask 255.255.255.255
                 

Regards
0
 
rsivanandanCommented:
What is the public ip you have there ? and what are the new ones to be mapped ? mask off the second octect and post it here with the subnet mask.

Cheers,
Rajesh
0
 
Prashant0906Author Commented:
i tried this and i think i need more help. none of the rules are working can you havbe a look and let me know why and suggest to fix them:
Firewall1(config)# sh run                          
: Saved      
:
PIX Version 7.2(1)                  
!
hostname Firewall1                    
domain-name MBWeb                
enable password 8Ry2YIyt7RRXU24 encrypted                                          
names    
dns-guard        
!
interface Ethernet0                  
 nameif outside              
 security-level 0                
 ip address 80.6.10.74 255.255.255.0                                    
!
interface Ethernet1                  
 nameif inside              
 security-level 40                  
 ip address 20.10.10.1 255.255.255.0                                  
!
interface Ethernet1.20                      
 description WebBack                    
 vlan 20        
 nameif ifWebBack                
 security-level 50                  
 ip address 20.10.20.1 255.255.255.0                                  
!
interface Ethernet1.30                      
 description lFront                        
 vlan    
 nameif ifLFront                  
 security-level 60                  
 ip address 20.10.30.1 255.255.255.0                                  
!
interface Ethernet1.40                      
 description LFront                        
 vlan 40        
 nameif ifLBack                  
 security-level 70                  
 ip address 20.10.40.1 255.255.255.0                                  
!
interface Ethernet1.50                      
 description AppFront                            
 vlan 50        
 nameif ifAppFront                  
 security-level 80                  
 ip address 20.10.50.1 255.255.255.0                                  
!
interface Ethernet1.60                      
 description ApplicationBack                            
 vlan 60        
 nameif ifApplBack                  
 security-level 90                  
 ip address 20.10.60.1 255.255.255.0                                  
!
interface Ethernet1.70                      
 description Data                
 vlan 70        
 nameif ifData              
 security-level 100                  
 ip address 20.10.70.1 255.255.255.0                                  
!
passwd 2KFQnbNIdI.2KYOU encrypted                                
boot system flash:/image.bin                            
ftp mode passive                
dns server-group DefaultDNS                          
 domain-name MBWeb                  
access-list Internet2webfront extended permit tcp any host 80.6..10.75 eq https                                                                              

access-list Internet2webfront extended permit tcp any host 80.6.10.77 eq https                                                                              

access-list WebBack2Other extended permit ip any any                                                    
access-list WebBack2AppOther extended permit tcp host 20.10.30.2 host 20.10.50.2 eq 8030      
access-list WebBack2AppOther extended permit tcp host 20.10.30.2 host 20.10.50.2 eq www    
access-list WebBack2AppOther extended permit tcp host 20.10.30.2 host 20.10.50.2 eq https      
access-list WebBack2AppOther extended permit tcp host 20.10.30.2 host 20.10.40.2 eq smtp      
access-list ExternalGateway extended permit tcp host 20.10.30.2 host 82.110.130.232 eq www        
access-list ExternalGateway extended permit tcp host 20.10.30.2 host 80.6.103.139 eq www        
access-list ExternalGateway extended permit tcp host 20.10.30.2 any eq smtp
access-list AppFront2Other extended permit tcp host 20.10.50.2 host 20.10.40.2 eq www  
access-list AppFront2Other extended permit tcp host 20.10.50.2 host 20.10.40.2 eq   smtp    
access-list AppBack2Other extended permit tcp host 20.10.60.2 host 20.10.70.2 eq 1443  
pager lines 24              
logging asdm informational                          
mtu outside 1500                
mtu inside 1500              
mtu ifWebBack 1500                  
mtu ifLendFront 1500                    
mtu ifLendBack 1500                  
mtu ifAppFront 1500                  
mtu ifApplBack 1500                  
mtu ifData 1500              
asdm history enable                  
arp timeout 14400                
nat-control          
nat (inside) 0 0.0.0.0 0.0.                        
static (inside,outside) 80.6.10.75 20.10.10.2 netmask 255.255.255.255                                                                    
static (inside,outside) 80.6.10.77 20.10.10.11 netmask 255.255.255.255                                                                      
access-group Internet2webfront in interface outside                                                  
access-group WebBack2Other in interface ifWebBack                                                
access-group ExternalGateway in interface ifLFront                                                    
access-group AppBack2Other in interface ifAppFront                                                  
access-group AppFront2Other out interface ifAppFront                                                    
route outside 0.0.0.0 0.0.0.0 80.6.10.65 1                                          
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:                                                
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                              
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
http server enable                  
http 192.168.1.0 255.255.255.0 inside                                    
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                      
no sysopt connection permit-vpn                              
telnet timeout 5                
ssh timeout 5            
ssh version 1            
console timeout 0                
dhcpd ping_timeout 750                      
dhcpd auto_config outside                        
!
!
class-map inspection_default                            
 match default-inspection-traffic                                
!
!
policy-map type inspect dns migrated_dns_map_1                                              
 parameters          
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:aeb8176c289f75199e45a5a7969bbbf
: end
Firewall1(config)#

0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
Prashant0906Author Commented:
please answer the above one I have raised the points.
0
 
rsivanandanCommented:
Your config looks okay except for the public ip block. Do you really own the whole of 80.6.10.0/24 public ip addresses ?

Cheers,
Rajesh
0
 
Prashant0906Author Commented:
I have masked my ip addresses to save identity. can you please review the config ... nothing is working. I can connect from anywhere to any where.
0
 
rsivanandanCommented:
As I said the config looks fine, there is some problem with ip addressing.

Can you post your original config with original ip addresses (Just mask off the second octect from the public ip, leave everything else the same)

Cheers,
Rajesh
0
 
Prashant0906Author Commented:
the abobe configration is exactly the same as my firewall configurations with public ip changed. I have changed first two bits with my original to 80.6.
Regards,
Prashant.
0
 
rsivanandanCommented:
What is the default gateway on machine 20.10.10.2 ? Does it point to this ASA ? which is 20.10.10.1 ?

Check that.

Cheers,
Rajesh
0
 
Prashant0906Author Commented:
default gateway of all IP addresses are x.x.x.1 for all vlans.
0
 
Prashant0906Author Commented:
when running sysmon it gives denied access. this clearly means traffic is reaching to Firewall and then denying. there may be some NAtting Issue or something else I think... please suggest
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now