NAT issue on FWSM

puneetj_mrt · ‎04-20-2017

Hi ,

We are having a server which ip is 10.11.16.21 . We have already NAT it with 115.110.103.11 for the port no. from 80 to 90 . It’s working fine .

Now, we need to map the above mentioned internal ip (10.11.16.21) with the other public ip 115.110.103.14 for the same port no. (80 to 90) . It’s a requirement from our client .

Sample commands executed :

static (INSIDE-HTTPGTW,INTERNET) tcp 115.110.103.11 81 10.11.16.21 81 netmask 255.255.255.255
static (INSIDE-HTTPGTW,INTERNET) tcp 115.110.103.14 81 10.11.16.21 81 netmask 255.255.255.255

When we execute the 2nd command,it shows an error “duplicate of existing static” .

Kindly guide , how could we do this .

Thanks in Adv. :)

Marvin Rhoads · ‎04-20-2017

A given host can only have a single static NAT for a given port number.

Otherwise how would the firewall know which one to use?

puneetj_mrt · ‎04-20-2017

Thanks Marvin for reply .

Actually , we want to implement a redundant NAT . Coz , server receives the data from modem . We configure both the public IPs on modem .

Previously this config. was implemented on other firewall called 'Cyberoam' & it was working fine . Now . we are moving it on to cisco FWSM .

Marvin Rhoads · ‎04-21-2017

I don't know what a Cyberoam is but you cannot configure it the way you are trying using a Cisco FWSM.

If you could provide a more complete system explanation we might be able to suggest an alternative.

puneetj_mrt · ‎04-22-2017

Marvin ,

Can we do one thing . Assign 2 ip addresses to the server of same range viz.10.11.16.21 & 10.11.16.22 . And then map these 2 internal ip addresses with the 2 public ip addresses .

Marvin Rhoads · ‎04-22-2017

That would be ok on the firewall. On the server however, one or the other address would be in use at a given time unless you did some hack of the host routing table.

Its all a bit of a hack - if we knew the overall architecture and requirements we might be able to suggest a more elegant and supportable solution.