ikhmer
asked on
Map public to private ip address ?
Dear all,
Please see below connection. I want to map one public ip in pix to internal ip of one server which is not under subnet of Router 1.
Is it possible to do ? without add route back to public ip in R2 and R1?
(internet)---------------(
r1: is the default gw router of 192.168.1.0/24
r2: is the default gw router of 192.168.2.0/24
server--> 192.168.2.11 is the ip address of target server in 192.168.2.0 ranges
pix: have public ip and the other end connect to 192.168.1.0 network
Please see below connection. I want to map one public ip in pix to internal ip of one server which is not under subnet of Router 1.
Is it possible to do ? without add route back to public ip in R2 and R1?
(internet)---------------(
r1: is the default gw router of 192.168.1.0/24
r2: is the default gw router of 192.168.2.0/24
server--> 192.168.2.11 is the ip address of target server in 192.168.2.0 ranges
pix: have public ip and the other end connect to 192.168.1.0 network
yes.
first make sure you can ping server-->pix and vice versa
if no, do tracert pix_IP and find the path and add necessary route in R1 and R2 inorder to reach pix
route inside 192.168.2.0 255.255.255.0 interface_IP 1
(if you dont get ping reply from PIX-->server)
Static NAT:
static (inside,outside) public_IP 192.168.2.11 netmask 255.255.255.255 0 0
first make sure you can ping server-->pix and vice versa
if no, do tracert pix_IP and find the path and add necessary route in R1 and R2 inorder to reach pix
route inside 192.168.2.0 255.255.255.0 interface_IP 1
(if you dont get ping reply from PIX-->server)
Static NAT:
static (inside,outside) public_IP 192.168.2.11 netmask 255.255.255.255 0 0
ASKER
Between R1 & R2 can reach to inside interface of pix (internal ip) , but from Internet user can not communicate with target server. And from R2 or server , i could not ping to public ip either.
I don't think we should add route back from R1, R2 to public ip to avoid of security!
thanks,
I don't think we should add route back from R1, R2 to public ip to avoid of security!
thanks,
ok, thats fine. you need to add static NAT and try ping from internet.
hope you are able to "ping inside 192.168.2.11" from pix console and gets reply.
hope you are able to "ping inside 192.168.2.11" from pix console and gets reply.
ASKER
I'm not very clear.
Let say 203.226.50.79 is my public ip which will map to 192.168.2.11-- when someone connect to this public ip i want it forward to 192.168.2.11
So, do yo mean to this public to private ip ? how can it map and allow internet user to access resource of 192.168.2.11? and this server is behind two routers .
pls help to give me a clear idea.
Let say 203.226.50.79 is my public ip which will map to 192.168.2.11-- when someone connect to this public ip i want it forward to 192.168.2.11
So, do yo mean to this public to private ip ? how can it map and allow internet user to access resource of 192.168.2.11? and this server is behind two routers .
pls help to give me a clear idea.
static (inside,outside) 203.226.50.79 192.168.2.11 netmask 255.255.255.255 0 0
NAT translation table will be maintained by PIX , no need to worry
you need to make sure you can reach server from pix console.
ping inside 192.168.2.11 should be successful
additional, if you need to expose any of the service of server (like web, etc) you need to add access-list and allow it in access-group.
sh run | incl access-group --> output will show if any access-list is applied on outside interface. then add access-list onto it with allow to particular service
example: access-list out_acc permit tcp any host 203.226.50.79 eq 80
NAT translation table will be maintained by PIX , no need to worry
you need to make sure you can reach server from pix console.
ping inside 192.168.2.11 should be successful
additional, if you need to expose any of the service of server (like web, etc) you need to add access-list and allow it in access-group.
sh run | incl access-group --> output will show if any access-list is applied on outside interface. then add access-list onto it with allow to particular service
example: access-list out_acc permit tcp any host 203.226.50.79 eq 80
ASKER
Thank for your quick support!
from pix it can talk to 192.168.2.11 without any problem, but still could not access from outsite to this server by using above public ip...
From that server, i trace back to public ip for testing and found that it could not pass R2.
thanks,
from pix it can talk to 192.168.2.11 without any problem, but still could not access from outsite to this server by using above public ip...
From that server, i trace back to public ip for testing and found that it could not pass R2.
thanks,
ASKER
im afraid it is because of this server is not in same subnet of internal pix interface.
pix internal belong to subnet 192.168.1.0/24 , server is under 192.168.2.0/24
thanks,
pix internal belong to subnet 192.168.1.0/24 , server is under 192.168.2.0/24
thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you! by the way that is not the real ip
route inside0.0.0.0 0.0.0.0 192.168.1.0 (note this assumes that R1 knows to route 192.168.2.0 traffic to R2)
static (inside,outside) {public IP) 192.168.2.11 netmask 255.255.255.255