Mapping of Single public with many private ip address in cisco pix 6.1(4)

kjanakiraman · ‎08-06-2002

Hi,

I heard that with the latest cisco ios 6.x we could map a single private ip address with many private ip address like we do nat overload in the cisco router. Is it true and if so how it can be done.

Thanks in Advance

J.Karthik

g.rodegari · ‎08-06-2002

Hi,

what you can do is use the "interface" keyword, or a single public IP, in the global command:

ex1:

nat (inside) 1 10.0.0.0 255.0.0.0

global (outside) 1 interface

ex2:

nat (inside) 1 10.0.0.0 255.0.0.0

global (outside) 1 62.110.145.22 255.255.255.255

In these examples, the nat is dynamic (PAT) and is never possible initiate connections from outside net to inside net.

To initiate connection from outside net to inside net, instead, you can use the keyword "outside" in the nat command:

ex3:

nat (outside) 1 200.200.200.0 255.255.255.0 outside

global (inside) 1 interface

But the connections are still unidirectional.

To permit connection in both directions you can use the classic "static" command, but, for map some private IP onto the same public IP you must use the port redirection, to specify the correct TCP or UDP port:

ex 4:

static (inside, outside) tcp interface 80 10.10.10.10 80

static (inside, outside) tcp interface 25 10.10.10.11 25

ex 5:

static (inside, outside) tcp 200.200.200.200 80 10.10.10.10 80

static (inside, outside) udp 200.200.200.200 69 10.10.10.11 5678

i hope its useful,

bye, Graz

kjanakiraman · ‎08-06-2002

Thanks a lot for your reply.

I have nat (ouside) one public ip

Nat (global) opne public ip

I created a static nat like

nat (inside,outside) tcp x.x.x.x 5000 10.1.2.1 5000

nat (inside,outside) tcp x.x.x.x 5001 10.1.2.2 5001

My intension was that these two systems should have a bi directional communication with a windows vpn server using the same public address.

I opened up port 1723 and gre port using conduit statements

When first tried to connect from 10.1.2.1 it connected successfully. But when i tried to connect from the second system using same windows vpn i am getting an error message like

The Specified port is not connected.

When gave show xlate command i seen the first command

global x.x.x.x local 10.1.2.1 static.

I disconnected from the 10.1.2.1 system and after two hourse(since xlate timout was 1:00:00) from the 10.1.2.2 system but still the same error. I removed the static mapping for the 10.1.2.1 but when i typed in

show xlate

still that mapping is there and it is not removed.

Can you please advice me how to go about for this problem

Thanks in Advance

J.Karthik

g.rodegari · ‎08-07-2002

Hi,

try to add two other commands:

nat (inside)1 " yourprivatenet "

global(outside) 1 interface

I think that the vpn connection start with other ports not included in the static command, with these commands youo open other ports.

NB:

for remove xlate you must type "clear xlate"

i hope it help you.

Bye,

Graz.

kjanakiraman · ‎08-07-2002

Thanks a lot for your mail.

Since i have alreadu nat (inside) 1 192.168.1.2

nat (global) 244.x.x.1

Will the new nat does not harm them? Should i use the same nat id 1 or can i use a different id. If i configure as you said above. All the different private ip addresses will go with the global address? Like i can map the global 244.x.x.1 with all public address or should i use different public address?

Thanks in Advance

J.Karthik

g.rodegari · ‎08-07-2002

Hi,

if you want to traslate to the same global ip use the same nat id, instead create a new nat command with a new nat id, eg 2, and an other global with tha same nat id.

Nat and static work togheter, the static dominate the nat.

You can map plus private IP to the same public IP:

ex :

nat (inside) 2 192.168.1.0 255.255.255.0

global (outside) 2 224.x.x.2

Hope that's help.

Graz.

kjanakiraman · ‎08-07-2002

Thanks a lot. I will check according to your advice.

Thanks and Regards

J.Karthik