AFLLC
asked on
How to do NAT and PAT on Cisco 515?
I am setting up a Cisco PIX 515 firewall that has an outside interface address of 172.31.1.4/24 and an inside interface address of 192.168.10.1/24. I also have webserver with address of 192.168.10.26/24. This pix's firmware is Cisco PIX Security Appliance Software Version 7.2(4) and Device Manager Version 5.2(4). It is configured to use PAT and the outside interfaces address for all of the inside interface lan traffic accessing the internet. Using the PDM, how would I setup a NAT rule so that I can access my website using 172.31.1.8/24 as my outside interface ip and have it translate to accessing the 192.168.10.26/24 webserver?
ASKER
Wouldn't that just port forward port 80 to 192.168.10.26? I need it to use a second ip of 172.31.1.8.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It doesn't seem to be working for me. Can you take a look at the whole config to see if I did something wrong? I don't have the same named access-group as you have specified so I had it applied to the outside_access_in.
rcs-fw-colo# show running-config
: Saved
:
PIX Version 7.2(4)
!
hostname test1
domain-name test.local
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 172.31.1.4 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name rewardcardsolutions.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host 172.31.1.8 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) 172.31.1.8 192.168.10.26 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.31.1.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.10.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:XXXXXXXXXXX
: end
ASKER
nevermind, it works. thank, you.
static (inside,outside) tcp interface 80 192.168.10.26 80 netmask 255.255.255.255
access-list web_traffic permit tcp any interface outside eq 80
access-group web_traffic in interface outside
This is assuming that you don't already have an ACL applied to the outside interface. If that doesn't work then try this:
static (inside,outside) tcp 172.31.1.4 80 192.168.10.26 80 netmask 255.255.255.255
access-list web_traffic permit tcp any host 172.31.1.4 eq 80
access-group web_traffic in interface outside