I am configuring a PIX 506e for implementation on a network. The inside network consists of about 25 combined workstations and servers with an IP addressing scheme of 10.x.x.0/24. Some servers need certain TCP or UDP ports translated publicly for each server. The outside network is 66.x.x.32/29 with 5 public addresses available to the client. I would like to translate individual ports on public address 66.x.x.33 - 6.x.x.37 for inbound traffic and use 66.x.x.38 as the outside interface of the PIX and allow all other outbound traffic to be translated to that interface's address. I am familiar with the PIX using one-to-one NAT but I would like someone to validate my config with this scenerio before I go live with it just to make sure I haven't created a problem somewhere.
access-list outside_access_in permit tcp any host 66.x.x.34 eq www
access-list outside_access_in permit tcp any host 66.x.x.34 eq 3389
access-list outside_access_in permit tcp any host 66.x.x.34 eq smtp
access-list outside_access_in permit tcp any host 66.x.x.34 eq pop3
access-list outside_access_in permit tcp any host 66.x.x.35 eq 3389
access-list outside_access_in permit tcp any host 66.x.x.35 eq ftp
access-list outside_access_in permit tcp any host 66.x.x.35 eq ftp-data
access-list outside_access_in permit tcp any host 66.x.x.36 eq 407
access-list outside_access_in permit tcp any host 66.x.x.36 eq 3389
access-list outside_access_in permit udp any host 66.x.x.36 eq 407
access-list outside_access_in permit udp any host 66.x.x.36 eq 3283
access-list outside_access_in permit tcp any host 66.x.x.37 eq www
access-list outside_access_in permit tcp 64.x.x.0 255.255.255.0 host 66.x.x.37 eq telnet
access-list outside_access_in permit tcp any host 66.x.x.37 eq 3389
ip address outside 66.x.x.38 255.255.255.248
ip address inside 10.x.x.254 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 66.x.x.34 www 10.x.x.1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.x.x.34 3389 10.x.x.1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.x.x.34 smtp 10.x.x.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.x.x.34 pop3 10.x.x.1 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.x.x.35 3389 10.x.x.8 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.x.x.35 ftp 10.x.x.2 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.x.x.35 ftp-data 10.x.x.2 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.x.x.36 407 10.x.x.23 407 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.x.x.36 3389 10.x.x.10 3389 netmask 255.255.255.255 0 0
static (inside,outside) udp 66.x.x.36 407 10.x.x.23 407 netmask 255.255.255.255 0 0
static (inside,outside) udp 66.x.x.36 3283 10.x.x.23 3283 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.x.x.37 www 10.x.x.4 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.x.x.37 telnet 10.x.x.200 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.x.x.37 3389 10.x.x.30 3389 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
