Port based NAT on pix 506e?

Unanswered Question
Mar 7th, 2008

I have Pix sitting between the world and 20 webservers. at the moment my nat rules are simple

82.x.x.1 --> /24

82.x.x.2 --> /24

80/443 allowed anything else dropped

I want to redirect a couple of IPs to another server.

So if source A is requesting access to 82.x.x.1 can I redirect it to

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Fri, 03/07/2008 - 08:29

Yes, if you used pat...

static (inside,outside) tcp 82.x.x.1 80 80 netmask

static (inside,outside) tcp 82.x.x.1 443 443 netmask

static (inside,outside) tcp 82.x.x.2 80 80 netmask

static (inside,outside) tcp 82.x.x.2 443 443 netmask

static (inside,outside) tcp 82.x.x.1 netmask

must be different than 80 or 443.

cornishgod Fri, 03/07/2008 - 08:33

Thats no good what i'm trying to do is redirect some google servers to one of our more beefier servers

cisco24x7 Fri, 03/07/2008 - 11:03

yes, that can be done very easily, if you have

a checkpoint firewalls. With Checkpoint, you

can put in mannual NAT rule, in addition to

static NAT. It can be done in 20 seconds

follows by a policy push.

I think it can be done with Pix via policy NAT

but do not hold me to it.

CCIE Security

brettmilborrow Fri, 03/07/2008 - 16:14

So if I am right, you want inbound connections to the same global address to be translated to more than one internal host on the same port?

If this is correct, then this is only possible if you are using different ports (as shown in the example given above), otherwise I am afraid this is not possible without a device that can load balance.

cisco24x7 Fri, 03/07/2008 - 18:51

With Checkpoint, the solution is a very simple one:

1- create your static NAT,

2- create a manual NAT above the static NAT

as follows:

Source Dest Service translated source translate_dest

Source_A 82.x.x.1 80/443 original 192.168.x.1

place this NAT rule above the auto nat rule

and you will be set.

Easy right?

CCIE Security

cornishgod Mon, 03/10/2008 - 02:52

Thanks for all your advice it looks like it cant be done.

Basically google blam one of sites every now and then which kills a webserver - what I would like to have done:

If destination = server x and source = google then goto to server y

as server y is much older, slower and serves the same site as server x, so we don't mind if that one goes down.

I'm looking in to load balancer now any one recommend a good one?

brettmilborrow Mon, 03/10/2008 - 04:10

Cisco have a product called CCS or Content Switch Solution.

I would recommend looking at the F5 LTM product as well.


This Discussion