I've been trying to make this work and have had no luck. I've got a 515E running 7.0(2) and attempted to use this command to allow hosts on my 172.17.150.0/24 subnet to browse the website on 18.104.22.168 ;
static (outside,inside) 22.214.171.124 172.17.150.23 255.255.255.255
It simply will not seem to work. Can anyone lend some assistance?
Which is your inside network? Is it the 172.x.x.x and the 69.x.x.x website is on the internet?
I'm not exactly sure what you are trying to do, but it looks like your static is backwards, and you cannot statically translate a /24 subnet to one ip address.
Perhaps a little more explanation?
I think he has something like this
static (inside,outside) 126.96.36.199 172.17.150.23 255.255.255.255
and he is trying to hit http://188.8.131.52 from a client 172.17.150.x on the inside.
Is this correct?
This is what you are looking for, dns doctoring or hairpinning with 2 interfaces.
My inside network is 172.17.150.0/24. The webserver is on 172.17.150.23
I am trying to browse to the public IP 184.108.40.206 from a machine on the inside network.
In order Pix versions, I could use "alias" but apparently that command is no longer valid.
Thanks guys, I'll have a close look at that document. I tried to do just the last "nat (inside,inside)" but then lost connection to my webserver from outside...... :)
Are you sure you wrote it correctly, that should not have happened. I think you would want...
static (inside,inside) 220.127.116.11 172.17.150.23 255.255.255.255
You also need the same-security-traffic permit intra-interface etc.
Anyway, pay close attention to where it says...
"For versions earlier than 7.2(1), it is required that at least one arm of the hairpinned traffic (inbound or outbound) be encrypted. From 7.2(1) and later, this requirement is no longer in place. Both the traffic inbound and the traffic outbound might be unencrypted when you use 7.2(1)."
You will run into a problem here as you are running 7.0.
Thanks everyone for your responses.
The solution was provided by Sanjeev Pabbi;
same-security-traffic permit intra-interface
static (inside,outside) 18.104.22.168 172.17.150.23 netmask 255.255.255.255
static (inside,inside) 22.214.171.124 172.17.150.23 netmask 255.255.255.255
static (inside,inside) 172.27.150.200 172.17.150.200 netmask 255.255.255.255
because request is initiated from inside the firewall so it hits the INSIDE interface then after the NAT translation Packets have to comeout of the same INSIDE interface towards your LAN, so first command allows packets to enter and leave from the same interface, its a global command.
Second command will allow you web Server with private IP as 172.17.150.23 to appears as Public IP 126.96.36.199 to oustside world ( Not inside users)
Assuming the Client on inside network with IP 172.17.150.200, when it try to access the web site by public IP 188.8.131.52 - Third command translates the Web Server Public IP to Private IP.
Fourth command does the source translation converting the original Client IP 172.17.250.200 to a fake non existing IP 172.27.250.200 ( This step is very important, because without this Web server will receive the incoming packet but for return traffic it will try to go to Client IP directly because its in the same subnet and it never reaches there as it bypasses Firewall) So in the Web server logs it will appear as if request has come from 172.27.150.200 NOT 172.17.150.200
Instead of the fourth one you could just do...
global (inside) 1 interface
nat (inside) 1 0 0
then you don't have to have a static statement for each client.