10-12-2005 12:49 AM - edited 03-09-2019 12:42 PM
i have a pix525
there is only one public ip i can use.
I need do pat for internal use go web.
I also want static map to the ip for outside user can access our web.
but when i config two toghter.internal user can't access internet.
how can i do to make two thing worked used one public ip .
any help will be preciated.
10-12-2005 02:31 AM
Hi,
Here are wo different static statements:
1) static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255
2) static (inside,outside) tcp interface 80 y.y.y.y 80 netmask 255.255.255.255
Here, x.x.x.x = Your public (pix outside interface) ip address.
y.y.y.y = Private ip address of your webserver.
The "interface" keyword refers to outside interface ip address of your pix.
I'm sure you would be using the first one in the above example. If you use the first one, you make a one-to-one translation for your public and private ip address letting pix to know that the public ip address is always associated with this private ip address.
If you use the second statement as mentioned in the above example (also called as port forwarding) would resolve the issue and achieve your goal.
Reason: Port forwarding works only for inbound traffic and rest outbound traffic use nat and global combination to go out to internet.
Rahul Pathania
10-12-2005 03:41 AM
the main point is that there is only one public ip, so port forwarding is the way to go.
e.g.
static (inside,outside) tcp
access-list 100 permit tcp any host
access-group 100 in interface outside
at the same time, apply the followings for interal user accessing the internet:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
all these commands, including static, acl, global, and nat will work together.
10-12-2005 05:18 PM
i'm very glad to see the reply
i'm from china,my english not very well,it's surprise you can totally understand me.thank you rpathani and jackko .
i just use this command
static (inside,outside)
i will use the port translate to test.
10-12-2005 11:20 PM
jakko basically had it correct, but to cover all your bases completely, you may be better off usinger the interface keyword for all your NATw/PAT commands.
global (outside) 1 interface
nat (inside) 0 0
access-list acl_outside permit tcp any interface outside eq 80
static (inside,outside) tcp interface 80
access-group acl_outside in interface outside
this will ensure that if you are using either ip address outside dhcp or ip address pppoe (without static IPs) you will not run into any problems down the road.
10-24-2005 09:22 AM
Can someone help me do the same thing but on IOS, not PIX?
Thanks,
10-24-2005 03:01 PM
ip nat inside source static tcp
e.g. for mail server,
ip nat inside source static tcp 203.1.1.1 25 192.168.1.1 25 extendable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide