1

We are setting up a streaming service to an external client and they need access to an internal workstation along with certain ports open on our firewall. I need to configure two public IP addresses on a PIX 506 to map to two internal private addresses. My understanding, weak at best, is the 506 only has one outside interface and that is already assigned a public address.

Our PIX is no longer supported by Cisco, so I am not able to use our Smartnet contract to get help for this configuration. While we do have several other devices under contract with them, they are not 506's and they won't help us out with the configuration.

I have the ports I need to open and I think I know how to write the access list to allow them through(one example):

access-list outside_access_in permit tcp any host <IP address> eq 389

static (inside,outside) tcp <IP address> 1718 172.16.4.211 389 netmask 255.255.255.255 0 0

My question. Do I just add the public IP addresses I want to assign in the IP address field, for each address and protocol, or do I need to do something else or am I not able to do what I want?

Please let me know if I need to provide anything else as far as configuration.

Regards.

Kernel Panic
  • 291
  • 2
  • 8
  • 19

1 Answers1

2

If you're looking to set up 1-to-1 NAT, it should be as simple as:

static (inside,outside) <public address> <private address> netmask 255.255.255.255

As well as the access-list command that you've listed.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • Yes. I am looking for 1 to 1. But I need it for two different public IP's, separate from the public IP on the firewall. The client will connect through the public IP's, mapped to the internal, private workstations. What I would like to know is if I can, on the 506, map those additional public IP's on the single outside interface. Let's say my firewall is 67.x.x.x and my client wants 68.1.x.x and 68.2.x.x, which I own, mapped to the internal workstations. Is that doable on the PIX 506? I can edit the question if will help. Thank you. – Kernel Panic Apr 25 '12 at 02:49
  • Yes - use those IPs in that configuration. That'll never function for the interface IP, it has special config considerations when used in NAT. Since they're not in the same subnet as the ASA's interface IP, you also need to route traffic for those addresses to the ASA in one way or another. – Shane Madden Apr 25 '12 at 04:51
  • Your help was invaluable. I was wrapped around the axle on this one and after re-reading your answer I realized I inverted the placement of the public and private IP's in the command. Thanks again!! – Kernel Panic May 23 '12 at 20:27