If your 90.90.90.90 is a locally connected segment you can use a static route as such below, assuming you have prior nat in placed for 80.80.80.80 (static nat)

route (inside or dmz ) 80.80.80.80 255.255.255.255 90.90.90.x

Thanks

Rizwan Rafeek.

Hi,

both IPs are on the outside interface, i am trying to redirect users on my lan.

any ideas ?

Hi Thuven,

You can try something like this:

static (outside,inside) 80.80.80.80 90.90.90.90 netmask 255.255.255.255

When users on the inside try to access 80.80.80.80, the PIX will change the destination IP of the packet to be 90.90.90.90.

-Mike

I am not 100 percent sure exactly, what is that you are trying to accomplish.

Based on information you provided so far.

You said: "both IPs are on the outside interface, i am trying to redirect users on my lan."

I assume, that you have sub-interfaces ip addresses (two IPs) on the outside interface, if then you need a policy base nat.

Regular nat:...

access-list allow-nat-all extended permit ip 80.80.80.0 255.255.255.0 any

global (outside) 1 interface

nat (inside) 1 access-list allow-nat-all

Policy nat:...

access-list allow-nat-specific extended permit ip host 80.80.80.80 host 90.90.90.90

global (outside) 2 xxx.xxx.xxx.xxx

nat (inside) 2 allow-nat-specific

Let me know, if this is what you want to.

Thanks

Rizwan Rafeek

thanks Mike and Rizwanr,

                                       A

                                     /     

                                    /

L ---[PIX]---- {Internet  }

                                   \

                                    \

                                      B

OK, think i should try and explain it a bit better,

L = LAN

A = 80.80.80.80

B = 90.90.90.90

So if the LAN users try to access A, they should be redirected to B.

Hope this helps,

Mike, if i use the static nat you suggested, 90.90.90.90 would need to reside on the LAN (right ?)

Hi Thuven,

The diagram didn't get formatted very well so I'm not sure if I understand. However, using the static NAT I suggested would meet the written requirements you have (users trying to access A would be redirected to B).

In this case, only B is the real host that lives on the Internet. You can think of A as just a virtual IP address that the PIX will do a translation for. If the PIX receives a packet destined for A on the LAN interface, it will just re-write the destination of the packet to B and send it on based on the routing table.

-Mike

Thuven and Mike,

The requirement is that traffic is initiated from the LAN but not from the Internet-Users, therefore static-nat is out of the question.

If Thuven’s PIX has one leg (i.e. physical interface) facing the ISP’s circuit then there is only one route on the PIX takes all unknown traffic to destination to Default-Gateway (i.e. default route) on PIX.

If otherwise Thuven’s PIX has two ISP circuits facing the Internet (i.e. physical or sub-interface) then a policy-base NAT will do the trick.

Hi,

Sorry for the late reply,

the pix has only 1 interface to the internet,

ok, so the users can access anything but if they try to access 80.80.80.80 they should be redirected to 90.90.90.90.(Both IPs live on the internet).

hope this helps more.

i will try and draw a more detailed diagram.

You cannot influence how your ISP transmits internet bound traffic on their network.
Since you do not have a next hop address pointing to 90.90.90.90, you cannot redirect traffic to 90.90.90.90 but to your default gateway only.

However if you own the IP (i.e. 90.90.90.90) and it is accessible on your circuit then you will be able to do a policy-nat, other than that there is nothing you can do, with limited internet circuit on the PIX outside interface.

As far as I know, you can change next-hop address and in your case there is only one next hop, i.e. default-gateway pointing all unknown traffic to single destination, ISP gateway.

Take care.

Thanks

Rizwan Rafeek