Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
644
Views
0
Helpful
3
Replies

Can we have a single NAT'ed IP address for inbound and outbound access?

pmoy
Level 1
Level 1

‎04-24-2006 11:45 AM - edited ‎03-09-2019 02:42 PM

I have a very simple question regarding inbound/outbound connections.

My PIX is a Cisco 525 running v6.3 software.

We have a MS clustered server that provides 3 IP addresses.

1. Virtual IP address for inbound TCP connections (FTP for example) to the cluster.

2. This cluster also initiates outbound TCP connections. But when the

outbound is connection is generated, the source IP address will be that of one of the physical boxes (A or B)

So we have a problem. We want to provide all our customers on the outside of the PIX with one IP address for all connections.

Inbound connections are no problem, I'll create a static/access-list

mapping with the virtual cluster address

static (inside,outside) 204.124.119.46 192.168.1.46

access-list acl_customer permit tcp 167.80.159.0 255.255.255.0 host

204.124.119.46 eq 7828

The clustering software will handle directing the inbound traffic on port 7828 to the correct server.

Now the cluster comes into play for outbound connections, I'll need to

NAT both real IP addresses behind one address on the outside

nat (inside) 1 192.168.1.46 255.255.255.252

! This will hide both 192.168.1.46 & 47 addresses

global (outside) 1 204.124.119.46 netmask 255.255.255.255

Is it even possible to have a single IP address on the outside that is created

by both a static and nat/global command?

The goal is to show the world a single IP address for both inbound and outbound

connections.

Thanks,

-Pete

Labels:
0 Helpful
3 Replies 3

Fernando_Meza
Level 7
Level 7

‎04-24-2006 01:57 PM

You could try using Port redirection on the incoming traffic

static (inside,outside) tcp 204.124.119.46 7828 192.168.1.46 7828 netmask 255.255.255.255

and nat/global for traffic initiated internally

nat (inside) 1 access-list 100

global (outside) 1 204.124.119.46 netmask 255.255.255.255

access-list 100 permit ip host 192.168.119.46 any

access-list 100 permit ip host 192.168.119.47 any

0 Helpful

pmoy
Level 1
Level 1
In response to Fernando_Meza

‎04-26-2006 11:10 AM

Thanks Fernando,

We did look at this, but unfortunately it'll mean having to modify hundreds of ACL's we already have in place.

We're going to try a workaround by creating one outside IP address for ourbound access with a global/NAT and using another address for inbound (stat/ACL) access instead of trying to use one address.

-Pete

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to pmoy

‎04-27-2006 05:52 AM

yes .. it is probably the best option

0 Helpful
Customers Also Viewed These Support Documents