04-03-2007 02:05 PM - edited 03-11-2019 02:55 AM
Is it possible to NAT to 1 of 2 different inside destination IP's based solely on the external source IP address?
There is something similar described but it doesn't work:
access-list WEB permit tcp host 10.1.2.1 209.165.201.11 255.255.255.255 eq 80
access-list TELNET permit tcp host 10.1.3.1 209.165.201.11 255.255.255.255 eq 23
nat (outside) 1 access-list WEB outside
global (inside) 1 209.165.202.129
nat (outside) 2 access-list TELNET outside
global (inside) 2 209.165.202.130
Thanks,
Dan
Solved! Go to Solution.
04-04-2007 08:10 PM
Hi Dan,
One final follow-up to this conversation (just for completeness). If you happened to use policy-nat, please note that it does not support using ports in the ACL. The ACL must only contain IPs/networks and no ports.
Sorry for not mentioning that sooner.
Sincerely,
David.
04-03-2007 07:56 PM
Your question isn't totally clear.
The config above is accurate (assuming you know what it is doing). You are missing the translation for the internal host you are attempting to access. (ie: static (inside,outside) 209.165.201.11
Sincerely,
David.
04-04-2007 06:30 AM
Hi David:
Here's a better description of my scenario:
Two outside source IPs: 10.1.1.1 and 10.1.1.2
Both connecting to 172.16.0.1 on port 80
If 10.1.1.1 connects to 172.16.0.1 on port 80, NAT to inside IP 192.168.1.1 port 80.
If 10.1.1.2 connects to 172.16.0.1 on port 80, NAT to inside IP 192.168.2.2 port 80.
It makes sense that this requires a corresponding static entry as well.
Thanks,
Dan
04-04-2007 06:46 AM
Hi Dan,
Then ok that will work.
Sincerely,
David.
04-04-2007 07:02 AM
Hi David:
OK, great. But I'm still confused on the syntax Here's what I have so far:
access-list host1 permit tcp host 10.1.1.1 host 172.16.0.1 eq 80
access-list host2 permit tcp host 10.1.1.2 host 172.16.0.1 eq 80
nat (outside) 1 access-list host1 outside
global (inside) 1 192.168.1.1
nat (outside) 2 access-list host2 outside
global (inside) 2 192.168.2.2
But, I don't think the static command will let you map the same IP twice:
static (inside,outside) tcp 172.16.0.1 80 192.168.1.1 80
static (inside,outside) tcp 172.16.0.1 80 192.168.2.2 80
Your help is greatly appreciated,
Dan
04-04-2007 09:45 AM
Hi Dan,
Think of NATing in 2 parts:
a) Internal device's source IP being NATed when it accesses devices on the outside
b) External device's source IP being NATed when it access devices on the inside
For the config you have been focusing on, that covers (b). Whereby you are policy-nating the source IP of the hosts on the outside (10.1.1.1 and 10.1.1.2) when they attempt to access 172.16.0.1 on the inside. Each outside host will be translated to a different inside IP.
For the case of (a) you just need a single static, as both outside hosts are accessing the same server. (right?) If that server's IP address is not being translated, then the command would just be:
static (inside,outside) 172.16.0.1 172.16.0.1 netmask 255.255.255.255
That statement just tells the PIX to translate the source (172.16.0.1) to itself when it goes from inside -> outside. It also tells external devices that if they connect to destination address 172.16.0.1, then the address would be translated to itself on the inside.
Now, (hopefully this won't complicate things more) if you _additionally_ wanted the two external hosts to go to the same global address, but that global address would be translated to two different internal addresses, then that would also be possible, but a bit more complicated ;-)
Sincerely,
David.
PS> Please don't forget to check the solution off if it solves your problem so we can cross it off the list.
04-04-2007 10:04 AM
Hi David:
Sorry, I think I still wasn't clear on my scenario. I want to redirect to one of two different inside servers but based on which source IP.
Two outside source IPs: 10.1.1.1 and 10.1.1.2
Both connecting to 172.16.0.1 on port 80
If 10.1.1.1 connects to 172.16.0.1 on port 80, redirect to inside server 192.168.1.1.
If 10.1.1.2 connects to 172.16.0.1 on port 80, redirect to inside server 192.168.2.2.
Sorry for the midunderstanding.
Thanks,
Dan
04-04-2007 10:41 AM
here we need static port redirection which is only unidirectional , however you CANNOT nat 172.16.0.1 on port 80 to two different servers
though this can be done...
static (inside,outside) tcp 172.16.0.1 80 192.168.1.1 80
static (inside,outside) tcp 172.16.0.1 8080 192.168.2.2 8080
04-04-2007 05:22 PM
Hi Dan,
Unfortunately, we don't have a way to achieve that currently.
Sorry,
David.
04-04-2007 08:10 PM
Hi Dan,
One final follow-up to this conversation (just for completeness). If you happened to use policy-nat, please note that it does not support using ports in the ACL. The ACL must only contain IPs/networks and no ports.
Sorry for not mentioning that sooner.
Sincerely,
David.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide