Hi David:

Here's a better description of my scenario:

Two outside source IPs: 10.1.1.1 and 10.1.1.2

Both connecting to 172.16.0.1 on port 80

If 10.1.1.1 connects to 172.16.0.1 on port 80, NAT to inside IP 192.168.1.1 port 80.

If 10.1.1.2 connects to 172.16.0.1 on port 80, NAT to inside IP 192.168.2.2 port 80.

It makes sense that this requires a corresponding static entry as well.

Thanks,

Dan

Hi Dan,

Then ok that will work.

Sincerely,

David.

Hi David:

OK, great. But I'm still confused on the syntax Here's what I have so far:

access-list host1 permit tcp host 10.1.1.1 host 172.16.0.1 eq 80

access-list host2 permit tcp host 10.1.1.2 host 172.16.0.1 eq 80

nat (outside) 1 access-list host1 outside

global (inside) 1 192.168.1.1

nat (outside) 2 access-list host2 outside

global (inside) 2 192.168.2.2

But, I don't think the static command will let you map the same IP twice:

static (inside,outside) tcp 172.16.0.1 80 192.168.1.1 80

static (inside,outside) tcp 172.16.0.1 80 192.168.2.2 80

Your help is greatly appreciated,

Dan

Hi Dan,

Think of NATing in 2 parts:

a) Internal device's source IP being NATed when it accesses devices on the outside

b) External device's source IP being NATed when it access devices on the inside

For the config you have been focusing on, that covers (b). Whereby you are policy-nating the source IP of the hosts on the outside (10.1.1.1 and 10.1.1.2) when they attempt to access 172.16.0.1 on the inside. Each outside host will be translated to a different inside IP.

For the case of (a) you just need a single static, as both outside hosts are accessing the same server. (right?) If that server's IP address is not being translated, then the command would just be:

static (inside,outside) 172.16.0.1 172.16.0.1 netmask 255.255.255.255

That statement just tells the PIX to translate the source (172.16.0.1) to itself when it goes from inside -> outside. It also tells external devices that if they connect to destination address 172.16.0.1, then the address would be translated to itself on the inside.

Now, (hopefully this won't complicate things more) if you _additionally_ wanted the two external hosts to go to the same global address, but that global address would be translated to two different internal addresses, then that would also be possible, but a bit more complicated ;-)

Sincerely,

David.

PS> Please don't forget to check the solution off if it solves your problem so we can cross it off the list.

Hi David:

Sorry, I think I still wasn't clear on my scenario. I want to redirect to one of two different inside servers but based on which source IP.

Two outside source IPs: 10.1.1.1 and 10.1.1.2

Both connecting to 172.16.0.1 on port 80

If 10.1.1.1 connects to 172.16.0.1 on port 80, redirect to inside server 192.168.1.1.

If 10.1.1.2 connects to 172.16.0.1 on port 80, redirect to inside server 192.168.2.2.

Sorry for the midunderstanding.

Thanks,

Dan

here we need static port redirection which is only unidirectional , however you CANNOT nat 172.16.0.1 on port 80 to two different servers

though this can be done...

static (inside,outside) tcp 172.16.0.1 80 192.168.1.1 80

static (inside,outside) tcp 172.16.0.1 8080 192.168.2.2 8080

Hi Dan,

Unfortunately, we don't have a way to achieve that currently.

Sorry,

David.