Equipment Support > Hardware By Brand > Cisco > [Config] different types of port forward on a 501 box clarifaca

[Config] different types of port forward on a 501 box clarifaca

Re: [Config] different types of port forward on a 501 box clari

reply to kracksmith
The 2nd static command states that the PublicIP is translated to InternalIP only when there is incoming traffic to such PublicIP at TCP port 1010.

If you have the following static commands

static (inside,outside) tcp PublicIP 1010 InternalIP1 1010 netmask 255.255.255.255 0 0
static (inside,outside) tcp PublicIP 1011 InternalIP2 1011 netmask 255.255.255.255 0 0

then the PublicIP is translated to InternalIP1 only when there is incoming traffic to such PublicIP at TCP port 1010 AND the PublicIP is translated to InternalIP2 only when there is incoming traffic to such PublicIP at TCP port 1011

The 1st static command states that the PublicIP is translated to InternalIP regardless of what kind of incoming IP traffic to such PublicIP; either TCP, UDP, ICMP, ESP, or else.

As mentioned, the 1st static command represents static NAT (1-to-1 translation). Typically you apply this command when you like to dedicate specific PublicIP to specific InternalIP.

Another reason to apply such command is that when the InternalIP network device is unable to work with Static PAT. One good example is VPN Concentrator that uses ESP protocol. Since ESP protocol has no concept of port numbers unlike TCP or UDP, typically you want to dedicate specific PublicIP to the VPN Concentrator InternalIP.

The 2nd static command represents static PAT (1-to-many translation) as mentioned. Typically you apply this command when you like to share specific PublicIP to many InternalIP where such InternalIP is able to work with TCP or UDP port translation. One good example is to share the same PublicIP for multiple physical servers (i.e. web, mail, ftp) that each has its own InternalIP.

Thanks Arryoba.

I understand the 1-to-1 translation static command and I think this is ideal.

I don't understand the use of a static command of 1-to-many. why open all ports to a particular server? isn't it ideal to find what ports or range of ports is needed and then do a 1-to-1 translation?

so what you mean is i can do this:

Static (inside,outside) samePublicIP InternalIP1 netmask 255.255.255.255 0 0

Static (inside,outside) samePublicIP InternalIP2 netmask 255.255.255.255 0 0

Static (inside,outside) samePublicIP InternalIP3 netmask 255.255.255.255 0 0

but still this opens up all the ports to each one of these servers, why non't do a 1-to-1 instead?

From implementation perspectives, there are several approaches you can use. Let's say you have three different server types; web, mail, and ftp. Each server is within its own dedicated physical server. Since these servers run TCP application, you can implement static PAT where there is single Public IP to share among these three servers.

Now let's say each server needs to have specific DNS name. Each DNS name must reflect specific Public IP address. With this requirement, then you have to do static NAT (1-to-1).

reply to kracksmith
Also keep in mind that when using a static pat statement, an internal host will need a nat/global pair to initiate outbound connections to the internet. With regular static, it doesn't, which also eases the configuration of defining which host should use which external address when going out.