How to do NAT and PAT on Cisco 515?

I am setting up a Cisco PIX 515 firewall that has an outside interface address of 172.31.1.4/24 and an inside interface address of 192.168.10.1/24.  I also have webserver with address of 192.168.10.26/24.  This pix's firmware is Cisco PIX Security Appliance Software Version 7.2(4)  and Device Manager Version 5.2(4).  It is configured to use PAT and the outside interfaces address for all of the inside interface lan traffic accessing the internet.  Using the PDM, how would I setup a NAT rule so that I can access my website using 172.31.1.8/24 as my outside interface ip and have it translate to accessing the 192.168.10.26/24 webserver?
AFLLCAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

qbakiesCommented:
Try this:

static (inside,outside) tcp interface 80 192.168.10.26 80 netmask 255.255.255.255
access-list web_traffic permit tcp any interface outside eq 80
access-group web_traffic in interface outside

This is assuming that you don't already have an ACL applied to the outside interface.  If that doesn't work then try this:

static (inside,outside) tcp 172.31.1.4 80 192.168.10.26 80 netmask 255.255.255.255
access-list web_traffic permit tcp any host 172.31.1.4 eq 80
access-group web_traffic in interface outside
0
AFLLCAuthor Commented:
Wouldn't that just port forward port 80 to 192.168.10.26?  I need it to use a second ip of 172.31.1.8.
0
qbakiesCommented:
Sorry, I read that wrong in your post:

static (inside,outside) 172.31.1.8 192.168.10.26 netmask 255.255.255.255 <-- 1-to1 NAT
access-list web_traffic permit tcp any host 172.31.1.8 eq 80 <-- allow traffic
access-group web_traffic in interface outside <-- Apply to interface
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AFLLCAuthor Commented:
It doesn't seem to be working for me.  Can you take a look at the whole config to see if I did something wrong?  I don't have the same named access-group as you have specified so I had it applied to the  outside_access_in.


rcs-fw-colo# show running-config 
: Saved
:
PIX Version 7.2(4) 
!
hostname test1
domain-name test.local
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.31.1.4 255.255.255.0 
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!             
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name rewardcardsolutions.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host 172.31.1.8 eq www 
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) 172.31.1.8 192.168.10.26 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.31.1.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.10.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:XXXXXXXXXXX
: end

Open in new window

0
AFLLCAuthor Commented:
nevermind, it works.  thank, you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.