08-03-2012 06:04 AM - edited 03-11-2019 04:37 PM
Hello all,
I would like to implement a solution that allows me to share a single public IP amongst two internal servers. One service uses a range of tcp ports.
I believe the below will address what I need however - can I use the ‘object-group’ command or do I need to specify each tcp port separately?
This?
!
object-group service A_Bunch_O_Ports tcp
description Telemesis comms to-From Internet
port-object eq https
port-object eq www
port-object eq 8060
port-object eq 8070
!
access-list policyNAT-share extended permit tcp host 172.20.40.100 object-group A_Bunch_O_Ports host 1.2.3.4 object-group A_Bunch_O_Ports
access-list policyNAT-share extended permit tcp host 172.20.40.200 eq 25 host 1.2.3.4 eq 25
!
nat (inside) 3 access-list policyNAT-share
!
global (outside) 3 1.2.3.4 netmask 255.255.255.255
!
!#####################
Or this?
!
access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 443 host 1.2.3.4 eq 443
access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 80 host 1.2.3.4 eq 80
access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 8060 host 1.2.3.4 eq 8060
access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 8070 host 1.2.3.4 eq 8070
access-list policyNAT-share extended permit tcp host 172.20.40.200 eq 25 host 1.2.3.4 eq 25
!
!
nat (inside) 3 access-list policyNAT-share
!
global (outside) 3 1.2.3.4 netmask 255.255.255.255
!
Solved! Go to Solution.
08-03-2012 08:08 AM
Do you need both inbound and outbound connection for the server, or only outbound connection?
If you only need outbound connection, then you don't even need to specify the port on the access-list. You can just configure the following:
nat (inside) 3 172.20.40.100 255.255.255.255
nat (inside) 3 172.20.40.200 255.255.255.255
global (outside) 3 1.2.3.4 netmask 255.255.255.255
However if you need both inbound and outbound connection for the server, then you should configure the following:
static (inside,outside) tcp 1.2.3.4 443 172.20.40.100 443 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 80 172.20.40.100 80 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 8060 172.20.40.100 8060 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 8070 172.20.40.100 8070 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 25 172.20.40.200 25 netmask 255.255.255.255
08-03-2012 08:18 AM
If you need both inbound and outbound, then the static command is what yo need.
The global/nat is for outbound only translation and it's dynamic translation.
Static NAT is bi-directional and it works both inbound and outbound translation.
08-03-2012 08:08 AM
Do you need both inbound and outbound connection for the server, or only outbound connection?
If you only need outbound connection, then you don't even need to specify the port on the access-list. You can just configure the following:
nat (inside) 3 172.20.40.100 255.255.255.255
nat (inside) 3 172.20.40.200 255.255.255.255
global (outside) 3 1.2.3.4 netmask 255.255.255.255
However if you need both inbound and outbound connection for the server, then you should configure the following:
static (inside,outside) tcp 1.2.3.4 443 172.20.40.100 443 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 80 172.20.40.100 80 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 8060 172.20.40.100 8060 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 8070 172.20.40.100 8070 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 25 172.20.40.200 25 netmask 255.255.255.255
08-03-2012 08:15 AM
I need two-way communications (in and out). I am really struggling with the difference between;
static (inside,outside)
and
nat (inside) / global (outside)
08-03-2012 08:18 AM
If you need both inbound and outbound, then the static command is what yo need.
The global/nat is for outbound only translation and it's dynamic translation.
Static NAT is bi-directional and it works both inbound and outbound translation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide