cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
745
Views
0
Helpful
4
Replies

One-to-One NAT

dbs-pcdoctor
Level 1
Level 1

Hello. I've got a pretty basic small network set up with a PIX 501 as the router. My inside subnet is a typical 192.168.0.0/24 setup. I received four IP addresses from my ISP (which I will list if you like), and I currently have one bound to the outside interface. I'm doing typical PAT to pass the data from the inside network to the outside.

Now, what I want to get set up is this:

I have two printers on the internal network that I would like to have public IP's on them so the company's automated system can send the job's to a public IP from the remote office (I realize this is a horrible idea, but I'm working with some software company that refuses to do it any other way).

I'm just wondering if I can keep the internal IP's for the printers (as the people in the local office need to print to them, as well as remotely), and make some kind of NAT rule to do this that wont disturb my global NAT rule.

I've found a few examples on the net, but whenever I set it up, the external world doesn't seem to be able to find these public IP's that I just bind with NAT, and insert access rules to allow it (basically, I just want to allow anything to these public IP's from the outside due to the software companies requirements, again, a horrible idea, I know).

I was hoping that perhaps I could get some examples from the pros (you guys). Thanks in advance!

Shane

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Shane

printer1 = 192.168.0.10 to be presented as public IP 195.166.77.10

printer2 = 192.168.0.11 to be presented as public IP 195.166.77.11

On pix

static (inside,outside) 195.166.77.10 192.168.0.10 netmask 255.255.255.255

static (inside,outside) 195.166.77.11 192.168.0.11 netmask 255.255.255.255

And then in your access-list on the outside interface you need to allow access to these printers. You will need to know the port number (lets assume TCP/515) and you can either lock it down to the remote IP addresses (if you know them) or allow any eg.

access-list outside_access_in permit tcp any host 195.166.77.10 eq 515

access-list outside_access_in permit tcp any host 195.166.77.11 eq 515

If you can lock down the source IP addresses rather than use "any" that at least would supply a modicum of security. You may also want to consider using a site-to-site VPN from the remote site for increased security.

The access-list would need to be applied to the outside interface eg.

access-group outside_access_in interface outside

Note also there is an implicit "deny ip any any" at the end of any access-list so if you need to allow other connections initiated from outside your pix to your internal network then you need to add these to your access-list.

Jon

Thanks so much for the quick reply, Jon.

I will go ahead and give this a shot. I have actually brought up the VPN idea to them multiple times, but they are very stubborn about their approach to this matter. The security issues are a major concern of mine, but sometimes there's just no getting through to some people.

Just as a side note, if I take of the "eq " off the end, will it just allow any port? I will probably note end up doing this, but I am just curious.

Thanks again,

Shane

Shane

Yes you can take the "eq

access-list outside_access_in permit ip any host 195.166.77.10

etc...

I can see you also appreciate the security issues by allowing this access. If vpn is not a possibility look to isolate the printers eg. private vlans or put them on a DMZ but this may cause problems if your internal users need them as well.

They may be stubborn but are they prepared to compensate you if your internal network is hacked ?

Jon

eno2p
Level 1
Level 1

Hello,

 

In some cases we have to configure the services side. In my case I set up my FTP services to accept and manager passive connections and apply on this (ftp services) the external ip address. 

 

Hope this help you.

 

 

Review Cisco Networking for a $25 gift card