[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

How to do NAT and PAT on Cisco 515?

Posted on 2010-03-30
5
Medium Priority
?
425 Views
Last Modified: 2012-08-14
I am setting up a Cisco PIX 515 firewall that has an outside interface address of 172.31.1.4/24 and an inside interface address of 192.168.10.1/24.  I also have webserver with address of 192.168.10.26/24.  This pix's firmware is Cisco PIX Security Appliance Software Version 7.2(4)  and Device Manager Version 5.2(4).  It is configured to use PAT and the outside interfaces address for all of the inside interface lan traffic accessing the internet.  Using the PDM, how would I setup a NAT rule so that I can access my website using 172.31.1.8/24 as my outside interface ip and have it translate to accessing the 192.168.10.26/24 webserver?
0
Comment
Question by:AFLLC
  • 3
  • 2
5 Comments
 
LVL 10

Expert Comment

by:qbakies
ID: 29117445
Try this:

static (inside,outside) tcp interface 80 192.168.10.26 80 netmask 255.255.255.255
access-list web_traffic permit tcp any interface outside eq 80
access-group web_traffic in interface outside

This is assuming that you don't already have an ACL applied to the outside interface.  If that doesn't work then try this:

static (inside,outside) tcp 172.31.1.4 80 192.168.10.26 80 netmask 255.255.255.255
access-list web_traffic permit tcp any host 172.31.1.4 eq 80
access-group web_traffic in interface outside
0
 

Author Comment

by:AFLLC
ID: 29118023
Wouldn't that just port forward port 80 to 192.168.10.26?  I need it to use a second ip of 172.31.1.8.
0
 
LVL 10

Accepted Solution

by:
qbakies earned 1000 total points
ID: 29118506
Sorry, I read that wrong in your post:

static (inside,outside) 172.31.1.8 192.168.10.26 netmask 255.255.255.255 <-- 1-to1 NAT
access-list web_traffic permit tcp any host 172.31.1.8 eq 80 <-- allow traffic
access-group web_traffic in interface outside <-- Apply to interface
0
 

Author Comment

by:AFLLC
ID: 29132306
It doesn't seem to be working for me.  Can you take a look at the whole config to see if I did something wrong?  I don't have the same named access-group as you have specified so I had it applied to the  outside_access_in.


rcs-fw-colo# show running-config 
: Saved
:
PIX Version 7.2(4) 
!
hostname test1
domain-name test.local
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.31.1.4 255.255.255.0 
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!             
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name rewardcardsolutions.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host 172.31.1.8 eq www 
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) 172.31.1.8 192.168.10.26 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.31.1.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.10.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:XXXXXXXXXXX
: end

Open in new window

0
 

Author Comment

by:AFLLC
ID: 29135160
nevermind, it works.  thank, you.
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Just after setting up Cloud PBX connectivity and migrated Skype users to SFBO, we noticed inbound calls not working but outbound calls would work.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question