NAT issue on FWSM

Unanswered Question
Apr 20th, 2017
User Badges:

Hi ,

We are having a server which ip is 10.11.16.21 . We have already NAT it with 115.110.103.11 for the port no. from 80 to 90 . It’s working fine .

Now, we need to map the above mentioned internal ip (10.11.16.21) with the other public ip 115.110.103.14 for the same port no. (80 to 90) . It’s a requirement from our client .

Sample commands executed :

  1. static (INSIDE-HTTPGTW,INTERNET) tcp 115.110.103.11 81 10.11.16.21 81 netmask 255.255.255.255
  2. static (INSIDE-HTTPGTW,INTERNET) tcp 115.110.103.14 81 10.11.16.21 81 netmask 255.255.255.255

When we execute the 2nd command,it shows an error “duplicate of existing static” .

Kindly guide , how could we do this .

Thanks in Adv. :)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marvin Rhoads Thu, 04/20/2017 - 03:56
User Badges:
  • Super Silver, 17500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

A given host can only have a single static NAT for a given port number.

Otherwise how would the firewall know which one to use?

puneetj_mrt Thu, 04/20/2017 - 21:20
User Badges:

Thanks Marvin for reply .

Actually , we want to implement a redundant NAT . Coz , server receives the data from modem . We configure both the public IPs on modem .

Previously this config. was implemented on other firewall called 'Cyberoam' & it was working fine . Now . we are moving it on to cisco FWSM .

Marvin Rhoads Fri, 04/21/2017 - 02:57
User Badges:
  • Super Silver, 17500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

I don't know what a Cyberoam is but you cannot configure it the way you are trying using a Cisco FWSM.

If you could provide a more complete system explanation we might be able to suggest an alternative.

puneetj_mrt Sat, 04/22/2017 - 04:24
User Badges:

Marvin ,

Can we do one thing . Assign 2 ip addresses to the server of same range viz.10.11.16.21 & 10.11.16.22 . And then map these 2 internal ip addresses with the 2 public ip addresses .

Marvin Rhoads Sat, 04/22/2017 - 06:44
User Badges:
  • Super Silver, 17500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

That would be ok on the firewall. On the server however, one or the other address would be in use at a given time unless you did some hack of the host routing table. 

Its all a bit of a hack - if we knew the overall architecture and requirements we might be able to suggest a more elegant and supportable solution. 

Actions

This Discussion