cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
406
Views
0
Helpful
3
Replies

NAT Question PIX 515E

rfranzke
Level 1
Level 1

I have a mail server which I am doing inbound NAT translation on. I translate the public IP of the mailserver to the private IP of the mailserver. I am doingf this using static NAT rules. I am trying to figure out a way to do some kind of policy NAT where I keep the same public address of the mailserver but translate it differently based on what the requesting source IP is. The rule would be something like this:

For connections going to IP 10.10.10.10(mail server public IP) from source IP 12.12.12.12, translate the address to 192.168.0.10

For connections going to IP 10.10.10.10(mail server public IP) from all other source IPs, translate the address to 192.168.0.12

Does anyone know of a way to do this with the PIX 515E? This seems like it should be possible but I cannot see exactly how.

As always thanks for the help here.

3 Replies 3

Hi,

Let's say that the idea that you have for your mail server is something like this (asuming 10.10.10.10 is your public IP for the server):

access-list TEST1 permit ip host 12.12.12.12 host 10.10.10.10
access-list TEST2 permit ip any host 10.10.10.10

static (in,out) 10.10.10.10 access-list TEST1
static (in,out) 10.10.10.10 access-list TEST2

This is not going to work, because you will get an overlapping error on the static statements for the same global address.

You cannot use dynamic Policy NAT (using nat and global), because you need to provide access to the server on a highest security interface.

From what I see, there's no way to accomplish this.


Just out of a curiosity, why are you trying such configuration?

Federico.

Wanted to see if this was possible because we had some remote developers testing against our mailserver and the tests they were doing were somehow crashing the mail server software. We asked them to stop but they did not seem to get the message. So I wanted to sort of send them off to another server temporarily and yet keep other traffic flowing normally and without disrupting their tests. Keep from changing IPs. Hokey I know. Maybe there is some other better way to do this. Thanks for the reply.

No problem. Try this :

access-list TEST1 permit ip host 12.12.12.12 host 10.10.10.10
access-list TEST2 permit ip any host 10.10.10.10

static (in,out) 192.168.0.19  access-list TEST1
static (in,out) 192.168.0.12  access-list TEST2

You may adjust the Access-list with the protocol that you need to let through.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: