Re: Single IP address with Static translations

gbraver · ‎07-10-2005

Trying to replace a linksys router with a PIX and am stumped.

While I have configured many a PIX, I typically use a static translations to provide for smtp/pop/remote desktop connections behind the PIX. i.e.

static (inside,outside) 151.204.296.156 192.168.10.5 netmask 255.255.255.255

access-list 101 permit tcp any host 192.168.10.5 eq pop3

access-list 101 permit tcp any host 192.168.10.5 eq smtp

access-list 101 permit tcp any host 192.168.10.4 eq 3389

access-group 101 in interface outside

problem I have here is that 151.204.296.156 is the only assigned address and the above static/access lists appears to block all internet traffic.

Am I doing something wrong? Any way around this without getting new addresses? How do I translate one address to multiple hosts (ie one to mail server, one to port 3389 on other server)???

thanks

gfullage · ‎07-10-2005

You create port statics, basically the same as the static you've shown but only for a particular port. Something like the following should do you:

static (inside,outside) tcp 151.204.296.156 110 192.168.10.5 110 netmask 255.255.255.255

static (inside,outside) tcp 151.204.296.156 25 192.168.10.5 25 netmask 255.255.255.255

static (inside,outside) tcp 151.204.296.156 3389 192.168.10.5 3389 netmask 255.255.255.255

Then define your access-list as normal, only allowing those ports in. Then for outbound traffic, define a PAT translation for the same address with:

nat (inside) 5 0 0

global (outside) 5 151.204.296.156

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694 for command details. Have fun.