03-07-2008 08:26 AM - edited 03-11-2019 05:13 AM
I have Pix sitting between the world and 20 webservers. at the moment my nat rules are simple
82.x.x.1 --> 10.179.0.1 /24
82.x.x.2 --> 10.179.0.2 /24
80/443 allowed anything else dropped
I want to redirect a couple of IPs to another server.
So if source A is requesting access to 82.x.x.1 can I redirect it to 10.179.0.2?
03-07-2008 08:29 AM
Yes, if you used pat...
static (inside,outside) tcp 82.x.x.1 80 10.179.0.1 80 netmask 255.255.255.255
static (inside,outside) tcp 82.x.x.1 443 10.179.0.1 443 netmask 255.255.255.255
static (inside,outside) tcp 82.x.x.2 80 10.179.0.2 80 netmask 255.255.255.255
static (inside,outside) tcp 82.x.x.2 443 10.179.0.2 443 netmask 255.255.255.255
static (inside,outside) tcp 82.x.x.1
03-07-2008 08:33 AM
Thats no good what i'm trying to do is redirect some google servers to one of our more beefier servers
03-07-2008 11:03 AM
yes, that can be done very easily, if you have
a checkpoint firewalls. With Checkpoint, you
can put in mannual NAT rule, in addition to
static NAT. It can be done in 20 seconds
follows by a policy push.
I think it can be done with Pix via policy NAT
but do not hold me to it.
CCIE Security
03-07-2008 04:14 PM
So if I am right, you want inbound connections to the same global address to be translated to more than one internal host on the same port?
If this is correct, then this is only possible if you are using different ports (as shown in the example given above), otherwise I am afraid this is not possible without a device that can load balance.
03-07-2008 06:51 PM
With Checkpoint, the solution is a very simple one:
1- create your static NAT,
2- create a manual NAT above the static NAT
as follows:
Source Dest Service translated source translate_dest
Source_A 82.x.x.1 80/443 original 192.168.x.1
place this NAT rule above the auto nat rule
and you will be set.
Easy right?
CCIE Security
03-10-2008 02:52 AM
Thanks for all your advice it looks like it cant be done.
Basically google blam one of sites every now and then which kills a webserver - what I would like to have done:
If destination = server x and source = google then goto to server y
as server y is much older, slower and serves the same site as server x, so we don't mind if that one goes down.
I'm looking in to load balancer now any one recommend a good one?
03-10-2008 04:10 AM
Cisco have a product called CCS or Content Switch Solution.
I would recommend looking at the F5 LTM product as well.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: