For 2 7 2a:
2. Trying to do port forwarding from one public IP (with various ports) to many internal IPs.
2a. Ports 80,81,82,83
This is possible via Port redirection feature - map single Public IP to many internal IP.
You can redirect the same port number, or different port on the same/different IP
This must be followed by ACL on the Outside interface allowing access from internet/outside to the Public IP of 100.100.100.100 via whatever specified port.
Example:
1. Static Map/redirect
Public IP to map: 100.100.100.100
Internal IP (i.e servers): 10.1.1.10, 10.1.1.11, 10.1.1.12, 10.1.1.13
static (inside,outside) tcp 100.100.100.100 80 10.1.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp 100.100.100.100 81 10.1.1.10 81 netmask 255.255.255.255
static (inside,outside) tcp 100.100.100.100 82 10.1.1.10 82 netmask 255.255.255.255
static (inside,outside) tcp 100.100.100.100 83 10.1.1.10 83 netmask 255.255.255.255
static (inside,outside) tcp 100.100.100.100 2221 10.1.1.10 21 netmask 255.255.255.255
2. ACL
access-list outside permit tcp any host 100.100.100.100 eq 80*
access-list outside permit tcp any host 100.100.100.100 eq 81
access-list outside permit tcp any host 100.100.100.100 eq 82
access-list outside permit tcp any host 100.100.100.100 eq 83
access-list outside permit tcp any host 100.100.100.100 eq 2221**
access-group outside in interface outside ***
* redirect from mask port value 80 to actual application port number - TCP 80 (www)
** redirect from mask port value 2221 to actual application port number - TCP 21 (ftp)
- Internet users/outsiders will access via port 2221. but PIX will auto redirect it to actual port 21 (FTP) on the server, i.e your server running FTP application using TCP 21, but you do not want Outsiders to easily know/scan/attack port 21. So you use 2221 to mask the port, and let PIX redirect it correctly to port 21 again.
** bind 'outside' ACL to Outside interface IP.
Ref:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic9
Make sure your PIX has correct default route to internet router:
route outside 0.0.0.0 0.0.0.0 100.100.100.99 --------> assuming 100.100.100.99 is your internet router FastEthernet facing PIX Outside interface
Hope this helps. Pls rate all useful post(s)
AK