11-06-2006 01:01 PM - edited 03-09-2019 04:47 PM
Hi All,
Just a quick question about static translation.
What will happen if a PIX has the below two statements:
Static(dmz1, outside) ServerA ServerA netmask 255.255.255.255
Static(dmz1, outside) ServerB ServerA netmask 255.255.255.255
Issuing show xlate returned the below:
Global ServerB Local ServerA
Global ServerA Local ServerA
Global ServerA Local ServerA
Global ServerA Local ServerA
Global ServerA Local ServerA
In a post* on this forum, Franco mentioned that the first static can be understood in 2 ways:
1- for traffic from outside to ServerA keeps the ServerA ip address unchanged, and
2- for traffic from ServerA to outside keeps ServerA ip address unchanged.
But the second static, can be seen as I'm telling the outside traffic accessing ServerA to be "Nated" to ServerB ip address, as well as when ServerA wants to access the outside, it'll statically change its ip address to ServerB
What we're trying to achieve here is when ServerA initiates traffic to the outside, its ip address should be changed to ServerB, but when any outside traffic coming to ServerA, then keeps ServerA ip address as it is.
I know this type of configuration is not the best practise and should be avoided. but is there any document explaining the behaviour of a PIX in such cases. Or can anyone shed more light on it
Thanks,
Daniel
11-06-2006 02:25 PM
AS per what I understood from your post, you can do NAT with Port redirection for incomming traffic and leave the static for the outgoing interface. Below you can find what I mean:
static(dmz1, outside) tcp ServerA ftp ServerA ftp netmask 255.255.255.255
Static(dmz1, outside) ServerB ServerA netmask 255.255.255.255
I used FTP as example,
Let me know if the above solves your issue,
Regards,
11-06-2006 11:18 PM
Thanks for your reply.
You're right about the solution... but I was wondering if you come accross any documentation regarding this issue.
What if the traffic is udp 53 (domain requests)? will it sill work?
Thanks | Daniel
11-07-2006 08:30 AM
Yep NAT + port redirection works with UDP and TCP ports. Below you can find a link that explains all NAT/PAT scenarios and one of the them is a new feature on ASA the policy NAT.
http://www.cisco.com/warp/public/110/pix70-nat-pat.pdf
Please let me know if you require anything further and rate if if you find my post helpful,
Regards,
11-07-2006 09:26 AM
You could so try a static with the access-list statement.
static (A,B) B A access-list server A
Static (B,A) A B access-list server B
HTH
Bill Harrison
Cisco Instructor
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: