×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX 7.0.4 NAT Issue

Unanswered Question
Jan 16th, 2006
User Badges:

I recently upgraded from version 6.3.4 to 7.0.4 on a new PIX firewall. Now it appears that mapping multiple outside IP addresses to a single inside IP, which was supported in 6.3.4, is not longer supported in 7.0.4. Is this true, and if so, are there any workarounds? Thanks.


PIX 6.3.4 Config

----------------

access-list acl_DMZ_in permit tcp 192.168.3.3 255.255.255.0 any eq 80

access-list acl_DMZ_in permit tcp 192.168.3.3 255.255.255.0 any eq 443

access-list acl_DMZ_in permit tcp host 192.168.3.3 host 10.250.225.25 eq 9080

access-list acl_DMZ_in permit tcp host 192.168.3.3 host 10.250.225.25 eq 9443

static (DMZ,outside) 172.16.1.10 192.168.3.3 netmask 255.255.255.255 0 0

static (DMZ,outside) 172.16.1.11 192.168.3.3 netmask 255.255.255.255 0 0

static (DMZ,outside) 172.16.1.12 192.168.3.3 netmask 255.255.255.255 0 0


PIX 7.0.4 Config

----------------

access-list acl_DMZ_in extended permit tcp 192.168.3.3 255.255.255.0 any eq 80

access-list acl_DMZ_in extended permit tcp 192.168.3.3 255.255.255.0 any eq 443

access-list acl_DMZ_in extended permit tcp host 192.168.3.3 host 10.250.225.25 eq 9080

access-list acl_DMZ_in extended permit tcp host 192.168.3.3 host 10.250.225.25 eq 9443

static (DMZ,outside) 172.16.1.10 192.168.3.3 netmask 255.255.255.255 0 0


config term

static (DMZ,outside) 172.16.1.11 192.168.3.3 netmask 255.255.255.255 0 0

ERROR: duplicate of existing static

DMZ-1:192.168.3.3 to outside:172.16.1.11 netmask 255.255.255.255



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jackko Mon, 01/16/2006 - 18:47
User Badges:
  • Gold, 750 points or more

providing different static statements are used for different ports, you can configure port forwarding instead of one-to-one mapping.


e.g.

static (dmz,outside) tcp 172.16.1.10 9443 192.168.3.3 9443 netmask 255.255.255.255

static (dmz,outside) tcp 172.16.1.11 9080 192.168.3.3 9080 netmask 255.255.255.255

Actions

This Discussion