Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
732
Views
0
Helpful
1
Replies

PAT To Different Internal IP Addresses.

tmcadmin
Level 1
Level 1

‎11-04-2011 09:20 PM - edited ‎03-04-2019 02:10 PM

Here is my situation and limitation.  I have two internal devices (web servers) that listen on port 8080, but I only have one Public IP address.  I have port 8080 forwarded to the first internal device and it's working fine.  I've tried to forward port 8081 to port 8080 on the second internal device and I can't get it to work.  I've tried to swap the port from 8081 to 8080 on the 2nd access-list, but still no success.   Any help would be appreciated.

Thanks.

See the short config below.  I can post the full config if needed, but it's over 400 lines.  BTW, I'm also using ZBF. 

#### Current Config for first internal device 'hvac 10.10.101.20'.  This part works fine.

!

ip port-map user-hvac port tcp 8080

!

class-map type inspect match-all cmap-hvac

match access-group 111

match protocol user-hvac

!

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect cmap-hvac

  inspect

class class-default

  drop log

!

ip nat inside source static tcp 10.10.101.20 8080 xxx.xxx.xxx.xxx 8080 extendable

!

access-list 111 permit tcp any host 10.10.101.20 eq 8080

!

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

______________________

#### Added Config for second internal device 'hvac1 10.10.101.21'. 

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

no service-policy type inspect sdm-pol-NATOutsideToInside-1

!

ip port-map user-hvac1 port tcp 8081

!

class-map type inspect match-all cmap-hvac1

match access-group 112

match protocol user-hvac1

!

no policy-map type inspect sdm-pol-NATOutsideToInside-1

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect cmap-hvac

  inspect

class type inspect cmap-hvac1

  inspect

class class-default

  drop log

!

ip nat inside source static tcp 10.10.101.21 8080 xxx.xxx.xxx.xxx 8081 extendable

!

access-list 112 permit tcp any host 10.10.101.21 eq 8081

!

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

Labels:
0 Helpful
1 Reply 1

tmcadmin
Level 1
Level 1

‎11-07-2011 04:32 AM

I got it.  I had to modify the second class-map to support both user defined protocols.

class-map type inspect match-all cmap-hvac1

match protocol user-hvac

match protocol user-hvac1

class-map type inspect match-all cmap-hvac1-acl

match access-group 112

match class-map cmap-hvac1

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card