501:port forwarding pub ip:xxx.xxx.xxx.xxx 80 to priv:yyy.yyy.yyy.yyy

[fredjchavez]

the basic setup below allows full access to the outside world from the private network via pat/nat (works great). in addition, i would like to be able to access my internal web server at 192.168.1.241 port 80 via 206.111.80.98 port 80 while on the internet (outside). please advise. i have tried numerous things and the only result is that i break nat/pat fom the internal hosts. i only have one public ip assigned. any gurus out there wanna tackle (good is a howto, better is command syntax ?

-Fred



interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 206.111.80.98 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 192.168.1.5 255.255.255.255 inside
pdm location 206.111.80.98 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.1.241 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 206.111.80.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.5 255.255.255.255 inside
http 192.168.1.3 255.255.255.255 inside
http 192.168.1.2 255.255.255.255 inside
floodguard enable
no sysopt route dnat
telnet 192.168.1.0 255.255.255.0 inside
telnet 206.111.80.98 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 192.168.1.241 216.13.28.12
dhcpd lease 360000

 

[yizhar]

HI.

The following link should help you out:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/s.htm#xtocid20

Go down to the "Port Redirection with Statics" issue.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[mclauge]

Fred,

This is probably what you are looking for.
You already have an access list defined (access-group 100 in interface outside ) so add these lines:


access-list 100 permit tcp any host 206.111.80.98 eq 80
static (inside,outside) tcp interface 80 192.168.1.241 80 netmask 255.255.255.255 0 0

Good Luck!
--
Ed McLaughlin, MCP
Senior Software Engineer

 

[chikn]

thread35-266670 should have read down a little further beforre I posted. It seems he has the same problem I have which isnt name related at all. For some reason the PIX establishes a connection but doesnt allow any exchange.

 

[chikn]

Sorry I responded to wrong thread?