Even though I'm logged in, when I click on the link in your reply, I get:

Authentication Required/Forgotten Password

Message #401: Authorization Required/Forgotten Password

I am a logged-in user. How do I access that page?

Thanks!

Thanks. I will try this tonight, after hours.

However, I thought this wouldn't work based on another post I read in this forum titled "PIX-515: multiple PAT to the same inside host". Daniel Ruch says he tried basically what you suggest, but that it didn't work.

If I correctly copied the link, you can find it here:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.ee96cd5/3#selected_message

Thanks for any more help you can offer!

Hi,

Actually this will not work. Here is why:

You are translating 2 different ips and same ports to the same ip/ports. And this will confuse the pix which translation object needs to be used when the server send the syn-ack reply. I doubt if pix will even build two translation objects for connection objects to use.

Sorry ! This will not work, and no work around on the pix . Thanks,

Mynul

I was afraid of that.

Is it possible to use 2 different external ips with different ports to one internal ip/port? eg:

209.1.1.4:2222 -> 192.168.1.50:4444

AND

209.1.1.5:3333 -> 192.168.1.50:4444

Or, would that still have the same problem?

Thanks so much!

Hi,

Unfortunately, it will.. So long as actual ip/port are the same, it will create problem, doesn't matter what combination of your outside ip/port are.

Thanks,

Mynul

The Pix does not handle mapping multiple outside IP/Ports to the same inside host in any manner. Perhaps if you described the goal or problem you're trying to solve, we could offer other alternatives.

As weird as this sounds, I need a single server to be accessible from 2 different internet IP addresses.

We have a client program running in an internet appliance on a broadband connection. I need the client to be able to failover whenever it has trouble accessing the server by trying to use a different IP address. However, that different IP address actually needs to be the same server, but by trying to reach it via a different IP address, it can utilize the routing table to make it go out a different interface (like PPP).

I thought that perhaps I could make my cisco give my internal server 2 external IPs, but that doesn't seem feasible.

I keep thinking a Proxy or some other kind of server might be the solution, but I haven't found that by searching the web and don't know how to do it myself.

ANY solutions you have for this would be greatly appreciated!

Thanks!

I should've been more specific in that you cannot accomplish that in any manner on the same interface.

Are both IPs that you're trying to NAT for delivered by the same ISP and router? Without router and/or ISP redundancy, having two IPs for the same inside host on a single Pix doesn't accomplish much.

If you have two different ISPs on the same router, you can use the router to NAT on the inbound session to make this work using a single interface and static statement on the Pix. If you have two routers and two ISPs, you can use the routers to NAT the source and destination IPs on inbound to make this work.

This news won't help our friend in need here as he has a 506 which is fixed-form-factor and doesn't support virtual interfaces. However, it is great news! Is there a listing yet of new features in 6.3.2? Do you know the expected release date?