×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX 515 & Multiple Static NATs

Unanswered Question
Jan 7th, 2003
User Badges:

This is beating me up. If anyone has a suggestion, please help.

I need web services to NAT to two different web servers behind the inside interface. Below are portions of my config. The NAT 0 is there becasue this is a PPTP and IPSec endpoint as well.


My issue is that port 80 and port 3389 access do not work to 200.200.200.2 but all access works to 200.200.200.1. I'm scratching my head. I also have the pix configured as a PPTP and IPSec endpoint if that matters.

==============

access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list 101 permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list ipsec permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255 .0

access-list 102 permit icmp any any

access-list 102 permit tcp any host 200.200.200.1 eq www

access-list 102 permit tcp any host 200.200.200.1 eq 3389

access-list 102 permit tcp any host 200.200.200.1 eq smtp

access-list 102 permit tcp any host 200.200.200.2 eq 3389

access-list 102 permit tcp any host 200.200.200.2 eq www

ip address outside 200.200.200.1 255.255.255.0

ip address inside 192.168.100.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

static (inside,outside) tcp 200.200.200.1 www 192.168.100.24 www netmask 255.255

.255.255 0 0

static (inside,outside) tcp 200.200.200.1 smtp 192.168.100.24 smtp netmask 255.2

55.255.255 0 0

static (inside,outside) tcp 200.200.200.1 3389 192.168.100.24 3389 netmask 255.2

55.255.255 0 0

static (inside,outside) 200.200.200.2 192.168.100.25 netmask 255.255.255.255 0 0

access-group 102 in interface outside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bs0000554 Tue, 01/07/2003 - 15:15
User Badges:

Dear PAUL STRAYHORN

Few considerations about your configuration

1.You does not need to have 3 static translations slots for the NAT 200.200.200.1 ;its better to have only one

ex: static (inside,outside) 200.200.200.1 192.168.100.24 netmask 255.255.255.255

and control the traffic with the access-lists

2.You does not have translation slots ( NAT Defined ) for the IP 200.200.200.2.

Thats what its not working !

Make one with the local IP of the other web server

ex: static (inside,outside) 200.200.200.2 netmask 255.255.255.255





Actions

This Discussion