Cisco PIX/ASA - Static NAT

**ps3cheats** · 25-Mar-2007, 10:48 PM

Question: I'm playing around with my Cisco PIX 501 firewall, and have the following setup:

web server --------------------------Cisco PIX 501----------------------------outside host
10.10.10.10/24 10.10.10.1/24 192.168.168.1/24 192.168.168.10/24
(inside) (outside)

I need to configure the firewall such that the outside host can access to the web server (as long as it can ping the web server successfully). I have applied the following ACL to the inside and outside interface:
access-list outside permit icmp any any
access-list outside permit ip any any
access-list inside permit icmp any any
access-list inside permit ip any any

I know this also has to be related to the static command. I want the IP of the outside host (192.168.168.10) untranslated when passing the firewall to access the web server, which means the web server sees an incoming access from an IP of 192.168.168.10. What should my static statement look like? I also wish to find out how many types of static NAT are there, what are they, how are they used? Thank you.

**ps3cheats** · 25-Mar-2007, 10:48 PM

no access-group inside in interface inside
no access-group outside in interface outside
no access-list outside
no access-list inside
static (inside,outside) tcp interface www 10.10.10.10 www netmask 255.255.255.255
access-list outside permit tcp host 192.168.168.10 interface outside eq www
access-group outside in interface outside

Try the web access from the outside host. Don't worry that you can't ping it.
Can you use any other outside IP address besides the one assigned to your interface? If yes, then you can do this:

static (inside,outside) 192.168.168.2 10.10.10.10 netmask 255.255.255.255
access-list outside permit tcp host 192.168.168.10 host 192.168.168.2 eq www
access-list outside permit icmp host 192.168.168.10 host 192.168.168.2
access-group outside in interface outside

Now from outside host you can ping 192.168.168.2 and you can run the web application - but only from that single outside host.
The www server will always see the requesting IP of 192.168.168.10
The outside host only sees the natted 1921.68.168.2 address..

25-Mar-2007, 10:48 PM	#1 (permalink)
ps3cheats Fixed Error! Posts: 1,497 Join Date: Mar 2007 Rep Power: 3 IM:	Cisco PIX/ASA - Static NAT Question: I'm playing around with my Cisco PIX 501 firewall, and have the following setup: web server --------------------------Cisco PIX 501----------------------------outside host 10.10.10.10/24 10.10.10.1/24 192.168.168.1/24 192.168.168.10/24 (inside) (outside) I need to configure the firewall such that the outside host can access to the web server (as long as it can ping the web server successfully). I have applied the following ACL to the inside and outside interface: access-list outside permit icmp any any access-list outside permit ip any any access-list inside permit icmp any any access-list inside permit ip any any I know this also has to be related to the static command. I want the IP of the outside host (192.168.168.10) untranslated when passing the firewall to access the web server, which means the web server sees an incoming access from an IP of 192.168.168.10. What should my static statement look like? I also wish to find out how many types of static NAT are there, what are they, how are they used? Thank you.

25-Mar-2007, 10:48 PM	#2 (permalink)
ps3cheats Fixed Error! Posts: 1,497 Join Date: Mar 2007 Rep Power: 3 IM:	Re: Cisco PIX/ASA - Static NAT no access-group inside in interface inside no access-group outside in interface outside no access-list outside no access-list inside static (inside,outside) tcp interface www 10.10.10.10 www netmask 255.255.255.255 access-list outside permit tcp host 192.168.168.10 interface outside eq www access-group outside in interface outside Try the web access from the outside host. Don't worry that you can't ping it. Can you use any other outside IP address besides the one assigned to your interface? If yes, then you can do this: static (inside,outside) 192.168.168.2 10.10.10.10 netmask 255.255.255.255 access-list outside permit tcp host 192.168.168.10 host 192.168.168.2 eq www access-list outside permit icmp host 192.168.168.10 host 192.168.168.2 access-group outside in interface outside Now from outside host you can ping 192.168.168.2 and you can run the web application - but only from that single outside host. The www server will always see the requesting IP of 192.168.168.10 The outside host only sees the natted 1921.68.168.2 address..

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)