Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
703
Views
0
Helpful
7
Replies

Port based NAT on pix 506e?

cornishgod
Level 1
Level 1

‎03-07-2008 08:26 AM - edited ‎03-11-2019 05:13 AM

I have Pix sitting between the world and 20 webservers. at the moment my nat rules are simple

82.x.x.1 --> 10.179.0.1 /24

82.x.x.2 --> 10.179.0.2 /24

80/443 allowed anything else dropped

I want to redirect a couple of IPs to another server.

So if source A is requesting access to 82.x.x.1 can I redirect it to 10.179.0.2?

Labels:
0 Helpful
7 Replies 7

acomiskey
Level 10
Level 10

‎03-07-2008 08:29 AM

Yes, if you used pat...

static (inside,outside) tcp 82.x.x.1 80 10.179.0.1 80 netmask 255.255.255.255

static (inside,outside) tcp 82.x.x.1 443 10.179.0.1 443 netmask 255.255.255.255

static (inside,outside) tcp 82.x.x.2 80 10.179.0.2 80 netmask 255.255.255.255

static (inside,outside) tcp 82.x.x.2 443 10.179.0.2 443 netmask 255.255.255.255

static (inside,outside) tcp 82.x.x.1 10.179.0.2 netmask 255.255.255.255

must be different than 80 or 443.

0 Helpful

cornishgod
Level 1
Level 1
In response to acomiskey

‎03-07-2008 08:33 AM

Thats no good what i'm trying to do is redirect some google servers to one of our more beefier servers

0 Helpful

cisco24x7
Level 6
Level 6
In response to cornishgod

‎03-07-2008 11:03 AM

yes, that can be done very easily, if you have

a checkpoint firewalls. With Checkpoint, you

can put in mannual NAT rule, in addition to

static NAT. It can be done in 20 seconds

follows by a policy push.

I think it can be done with Pix via policy NAT

but do not hold me to it.

CCIE Security

0 Helpful

brettmilborrow
Level 1
Level 1
In response to cornishgod

‎03-07-2008 04:14 PM

So if I am right, you want inbound connections to the same global address to be translated to more than one internal host on the same port?

If this is correct, then this is only possible if you are using different ports (as shown in the example given above), otherwise I am afraid this is not possible without a device that can load balance.

0 Helpful

cisco24x7
Level 6
Level 6
In response to brettmilborrow

‎03-07-2008 06:51 PM

With Checkpoint, the solution is a very simple one:

1- create your static NAT,

2- create a manual NAT above the static NAT

as follows:

Source Dest Service translated source translate_dest

Source_A 82.x.x.1 80/443 original 192.168.x.1

place this NAT rule above the auto nat rule

and you will be set.

Easy right?

CCIE Security

0 Helpful

cornishgod
Level 1
Level 1
In response to cisco24x7

‎03-10-2008 02:52 AM

Thanks for all your advice it looks like it cant be done.

Basically google blam one of sites every now and then which kills a webserver - what I would like to have done:

If destination = server x and source = google then goto to server y

as server y is much older, slower and serves the same site as server x, so we don't mind if that one goes down.

I'm looking in to load balancer now any one recommend a good one?

0 Helpful

brettmilborrow
Level 1
Level 1
In response to cornishgod

‎03-10-2008 04:10 AM

Cisco have a product called CCS or Content Switch Solution.

I would recommend looking at the F5 LTM product as well.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card