[Config] different types of port forward on a 501 box clarifaca

Author	All Replies
kracksmith join:2004-07-14 Fullerton, CA	[Config] different types of port forward on a 501 box clarifaca What are the differences between these port forwarding? Access-list 100 permit tcp any host PublicIP eq 1010 Static (inside,outside) PublicIP InternalIP netmask 255.255.255.255 0 0 and Static (inside,outside) tcp PublicIP 1010 InternalIP 1010 netmask 255.255.255.255 0 0 Does this mean the 1st one has all ports being forwarded? Does the 2nd one mean only port 1010 is being forwarded? Thanks
	to forum · permalink · · 2008-08-12 17:56:03 ·
bky moof moof Premium join:2002-07-05 Austin, TX 1 edit	Re: [Config] different types of port forward on a 501 box clari The first example isn't port forwarding, it's just opening a port in an access-list for a 1-to-1 static xlate (which I guess one could call port forwarding). The second example is static PAT, which you would still need an access-list to permit port 1010. >Does this mean the 1st one has all ports being forwarded? >Does the 2nd one mean only port 1010 is being forwarded? Yep and Yep!
	to forum · permalink · · 2008-08-12 18:46:00 ·
aryoba Premium,MVM join:2002-08-22	reply to kracksmith The 2nd static command states that the PublicIP is translated to InternalIP only when there is incoming traffic to such PublicIP at TCP port 1010. If you have the following static commands static (inside,outside) tcp PublicIP 1010 InternalIP1 1010 netmask 255.255.255.255 0 0 static (inside,outside) tcp PublicIP 1011 InternalIP2 1011 netmask 255.255.255.255 0 0 then the PublicIP is translated to InternalIP1 only when there is incoming traffic to such PublicIP at TCP port 1010 AND the PublicIP is translated to InternalIP2 only when there is incoming traffic to such PublicIP at TCP port 1011 The 1st static command states that the PublicIP is translated to InternalIP regardless of what kind of incoming IP traffic to such PublicIP; either TCP, UDP, ICMP, ESP, or else. As mentioned, the 1st static command represents static NAT (1-to-1 translation). Typically you apply this command when you like to dedicate specific PublicIP to specific InternalIP. Another reason to apply such command is that when the InternalIP network device is unable to work with Static PAT. One good example is VPN Concentrator that uses ESP protocol. Since ESP protocol has no concept of port numbers unlike TCP or UDP, typically you want to dedicate specific PublicIP to the VPN Concentrator InternalIP. The 2nd static command represents static PAT (1-to-many translation) as mentioned. Typically you apply this command when you like to share specific PublicIP to many InternalIP where such InternalIP is able to work with TCP or UDP port translation. One good example is to share the same PublicIP for multiple physical servers (i.e. web, mail, ftp) that each has its own InternalIP.
	to forum · permalink · · 2008-08-13 10:45:10 ·
kracksmith join:2004-07-14 Fullerton, CA	Thanks Arryoba. I understand the 1-to-1 translation static command and I think this is ideal. I don't understand the use of a static command of 1-to-many. why open all ports to a particular server? isn't it ideal to find what ports or range of ports is needed and then do a 1-to-1 translation? so what you mean is i can do this: Static (inside,outside) samePublicIP InternalIP1 netmask 255.255.255.255 0 0 Static (inside,outside) samePublicIP InternalIP2 netmask 255.255.255.255 0 0 Static (inside,outside) samePublicIP InternalIP3 netmask 255.255.255.255 0 0 but still this opens up all the ports to each one of these servers, why non't do a 1-to-1 instead?
	to forum · permalink · · 2008-08-13 13:53:37 ·
aryoba Premium,MVM join:2002-08-22	From implementation perspectives, there are several approaches you can use. Let's say you have three different server types; web, mail, and ftp. Each server is within its own dedicated physical server. Since these servers run TCP application, you can implement static PAT where there is single Public IP to share among these three servers. Now let's say each server needs to have specific DNS name. Each DNS name must reflect specific Public IP address. With this requirement, then you have to do static NAT (1-to-1).
	to forum · permalink · · 2008-08-13 15:12:14 ·
bky moof moof Premium join:2002-07-05 Austin, TX	reply to kracksmith Also keep in mind that when using a static pat statement, an internal host will need a nat/global pair to initiate outbound connections to the internet. With regular static, it doesn't, which also eases the configuration of defining which host should use which external address when going out.
	to forum · permalink · · 2008-08-13 18:27:02 ·


Thursday, 26-Nov 22:57:54	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF