Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port based NAT on pix 506e?

I have Pix sitting between the world and 20 webservers. at the moment my nat rules are simple

82.x.x.1 --> 10.179.0.1 /24

82.x.x.2 --> 10.179.0.2 /24

80/443 allowed anything else dropped

I want to redirect a couple of IPs to another server.

So if source A is requesting access to 82.x.x.1 can I redirect it to 10.179.0.2?

7 REPLIES
Green

Re: Port based NAT on pix 506e?

Yes, if you used pat...

static (inside,outside) tcp 82.x.x.1 80 10.179.0.1 80 netmask 255.255.255.255

static (inside,outside) tcp 82.x.x.1 443 10.179.0.1 443 netmask 255.255.255.255

static (inside,outside) tcp 82.x.x.2 80 10.179.0.2 80 netmask 255.255.255.255

static (inside,outside) tcp 82.x.x.2 443 10.179.0.2 443 netmask 255.255.255.255

static (inside,outside) tcp 82.x.x.1 10.179.0.2 netmask 255.255.255.255

must be different than 80 or 443.

New Member

Re: Port based NAT on pix 506e?

Thats no good what i'm trying to do is redirect some google servers to one of our more beefier servers

Silver

Re: Port based NAT on pix 506e?

yes, that can be done very easily, if you have

a checkpoint firewalls. With Checkpoint, you

can put in mannual NAT rule, in addition to

static NAT. It can be done in 20 seconds

follows by a policy push.

I think it can be done with Pix via policy NAT

but do not hold me to it.

CCIE Security

New Member

Re: Port based NAT on pix 506e?

So if I am right, you want inbound connections to the same global address to be translated to more than one internal host on the same port?

If this is correct, then this is only possible if you are using different ports (as shown in the example given above), otherwise I am afraid this is not possible without a device that can load balance.

Silver

Re: Port based NAT on pix 506e?

With Checkpoint, the solution is a very simple one:

1- create your static NAT,

2- create a manual NAT above the static NAT

as follows:

Source Dest Service translated source translate_dest

Source_A 82.x.x.1 80/443 original 192.168.x.1

place this NAT rule above the auto nat rule

and you will be set.

Easy right?

CCIE Security

New Member

Re: Port based NAT on pix 506e?

Thanks for all your advice it looks like it cant be done.

Basically google blam one of sites every now and then which kills a webserver - what I would like to have done:

If destination = server x and source = google then goto to server y

as server y is much older, slower and serves the same site as server x, so we don't mind if that one goes down.

I'm looking in to load balancer now any one recommend a good one?

New Member

Re: Port based NAT on pix 506e?

Cisco have a product called CCS or Content Switch Solution.

I would recommend looking at the F5 LTM product as well.

248
Views
0
Helpful
7
Replies
CreatePlease to create content