NAT with PIX 520 with 6.3.5

Unanswered Question
Jun 8th, 2007
User Badges:

We are facing a Problem with a special configuration:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list www_outside_inside permit tcp any host 192.168.117.223 eq www

access-list www_outside_inside permit tcp any host 192.168.117.225 eq www

access-list www_outside_inside permit tcp any host 192.168.117.225 eq https

access-list www_outside_inside permit tcp any host 192.168.117.223 eq https

ip address outside 192.168.117.220 255.255.255.0

ip address inside 10.16.133.100 255.255.252.0

static (inside,outside) 192.168.117.223 10.16.132.47 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.117.225 10.16.132.47 netmask 255.255.255.255 0 0


is working fine with 6.3.3 but is rejected when typing in the second static nat-translation.

is this a bug or a feature?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 06/08/2007 - 02:15
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


I have just tried this on 6.3(5) and i get same error about duplicate translation. I'll see if i can find a 6.3(3) firewall but i might be out of luck.


What you could do


static (inside,outside) tcp 192.168.117.223 80 10.16.132.47 80

static (inside,outside) tcp 192.168.117.225 443 10.16.132.47 443


HTH


Jon

gerd.steinhauer... Fri, 06/08/2007 - 02:39
User Badges:

Hi Jon,

this is not a solution, we are in a transition phase where we move from provider-dependent to provider-independent addresses. the addresses you see, have been changed, they are not those on the customer site. what we do, is to nat the new addresses to unused addresses of the old space. we want the pix to translate the old address and the temporary address to the same host. after the dns-change took place, we are gooing to remove the nat-entries and move the pix to the new ip-sapce.

we do need the translation from two separate addresses to on and the same.

Gerd

Jon Marshall Fri, 06/08/2007 - 02:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Gerd


Sincere apologies, i didn't read your existing config closely enough.


Jon

r.sneekes Fri, 06/08/2007 - 05:24
User Badges:

This is not a bug. What you are trying to do is not possible.


It's not possible to static nat 2 diffrent ip adressen to 1 outside adres.


It is possible to do port forwarding as stated above.


or use PAT but with PAT sessions can't be initiated from the outside.

Actions

This Discussion