Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

NAT with PIX 520 with 6.3.5

We are facing a Problem with a special configuration:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list www_outside_inside permit tcp any host 192.168.117.223 eq www

access-list www_outside_inside permit tcp any host 192.168.117.225 eq www

access-list www_outside_inside permit tcp any host 192.168.117.225 eq https

access-list www_outside_inside permit tcp any host 192.168.117.223 eq https

ip address outside 192.168.117.220 255.255.255.0

ip address inside 10.16.133.100 255.255.252.0

static (inside,outside) 192.168.117.223 10.16.132.47 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.117.225 10.16.132.47 netmask 255.255.255.255 0 0

is working fine with 6.3.3 but is rejected when typing in the second static nat-translation.

is this a bug or a feature?

4 REPLIES
Hall of Fame Super Blue

Re: NAT with PIX 520 with 6.3.5

Hi

I have just tried this on 6.3(5) and i get same error about duplicate translation. I'll see if i can find a 6.3(3) firewall but i might be out of luck.

What you could do

static (inside,outside) tcp 192.168.117.223 80 10.16.132.47 80

static (inside,outside) tcp 192.168.117.225 443 10.16.132.47 443

HTH

Jon

New Member

Re: NAT with PIX 520 with 6.3.5

Hi Jon,

this is not a solution, we are in a transition phase where we move from provider-dependent to provider-independent addresses. the addresses you see, have been changed, they are not those on the customer site. what we do, is to nat the new addresses to unused addresses of the old space. we want the pix to translate the old address and the temporary address to the same host. after the dns-change took place, we are gooing to remove the nat-entries and move the pix to the new ip-sapce.

we do need the translation from two separate addresses to on and the same.

Gerd

Hall of Fame Super Blue

Re: NAT with PIX 520 with 6.3.5

Gerd

Sincere apologies, i didn't read your existing config closely enough.

Jon

New Member

Re: NAT with PIX 520 with 6.3.5

This is not a bug. What you are trying to do is not possible.

It's not possible to static nat 2 diffrent ip adressen to 1 outside adres.

It is possible to do port forwarding as stated above.

or use PAT but with PAT sessions can't be initiated from the outside.

150
Views
0
Helpful
4
Replies
CreatePlease to create content