06-08-2007 01:49 AM - edited 03-11-2019 03:27 AM
We are facing a Problem with a special configuration:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list www_outside_inside permit tcp any host 192.168.117.223 eq www
access-list www_outside_inside permit tcp any host 192.168.117.225 eq www
access-list www_outside_inside permit tcp any host 192.168.117.225 eq https
access-list www_outside_inside permit tcp any host 192.168.117.223 eq https
ip address outside 192.168.117.220 255.255.255.0
ip address inside 10.16.133.100 255.255.252.0
static (inside,outside) 192.168.117.223 10.16.132.47 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.117.225 10.16.132.47 netmask 255.255.255.255 0 0
is working fine with 6.3.3 but is rejected when typing in the second static nat-translation.
is this a bug or a feature?
06-08-2007 02:15 AM
Hi
I have just tried this on 6.3(5) and i get same error about duplicate translation. I'll see if i can find a 6.3(3) firewall but i might be out of luck.
What you could do
static (inside,outside) tcp 192.168.117.223 80 10.16.132.47 80
static (inside,outside) tcp 192.168.117.225 443 10.16.132.47 443
HTH
Jon
06-08-2007 02:39 AM
Hi Jon,
this is not a solution, we are in a transition phase where we move from provider-dependent to provider-independent addresses. the addresses you see, have been changed, they are not those on the customer site. what we do, is to nat the new addresses to unused addresses of the old space. we want the pix to translate the old address and the temporary address to the same host. after the dns-change took place, we are gooing to remove the nat-entries and move the pix to the new ip-sapce.
we do need the translation from two separate addresses to on and the same.
Gerd
06-08-2007 02:45 AM
Gerd
Sincere apologies, i didn't read your existing config closely enough.
Jon
06-08-2007 05:24 AM
This is not a bug. What you are trying to do is not possible.
It's not possible to static nat 2 diffrent ip adressen to 1 outside adres.
It is possible to do port forwarding as stated above.
or use PAT but with PAT sessions can't be initiated from the outside.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: