Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT and Static Mappings

Status
Not open for further replies.
ITboywonder

ITboywonder

Technical User
Aug 25, 2003
32
US
I'm new to installing the PIX firewalls, but am knowledgable and experinced with networking, and Cisco routers and switches.

I have a question about a firewall I am installing for a client. I have one public ip from the ISP which I have assigned to the outside interface which connects to the demarc. With that public IP I am enabling NAT with overloading (PAT) to all hosts on the LAN side.

My question and problem that I have is that I have 2 servers behind the inside(LAN) interface that I need to have access to remotely via termial services, ftp, tftp, etc.

To do this I would need two more public IP addresses on the same subnet as the outside (WAN) interface. Then I would configure static mappings from the inside servers private IP address to the public IP addresses that are sitting on the outside interface, or pool. Then create ACLS permitting the type of traffic I want to come through.

DOES THIS SOUND CORRECT? OR IS THERE ANOTHER WAY TO GO WITHOUT USEING MORE PUBLIC IP's?

Any help would be GREATLY appreciated
-Nate
 
Sort by date Sort by votes
One way would be to map the ports to different ports on the external interface of the single wan ip of the pix, ftp to one server map to 21, ftp to the other map to 2121 for example, and so on for the other ports.

A better solution, considering the sort of access you're allowing, would be to create a remote user vpn on the pix, and make users connect with the cisco vpn client before they get terminal services access to the servers. In fact, if you do decide to map terminal services connections through to a public address on the wan of the pix, I'd recommend taking the pix down the shops and selling it, as it's no longer protecting your servers, so there's not much point having it.

If you've never set up a remote access vpn on a pix before, the vpn wizard in PDM (the web based pix config tool) is surprisingly good at doing it for you.

If you'd rather do it using command line, this doc should help point you in the right direction, but if anything's not clear shout, and people are always glad to help;


CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Sorry! I've given you a link about configuring access to the old Secure VPN Client. This link addresses the newer vpn client that Cisco make, although even this link only covers version 3.x. Version 4 is now out, but although some of the graphics are different, the config on the vpn client software is basically the same ...

hope this is a bit better use!


CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
1K
intel233
intel233
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
781
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
589
Nitta84
Nitta84
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
205
steve777777
steve777777

Part and Inventory Search

Sponsor

Back
Top