Ok you pix guru's out there, I know for a router you can do many-to-one static nat translations, but how would you go about doing that on a pix firewall. I have 2 public addresses that needs to be pointed to my internet device. Thanks in advance.
You known that I actually ment internal and I put internet on my post, sorry about that. but typically i have set it up with routers to use two global address to one internal address going out at two different interfaces, so I get it there on how what global address it will use. Where as the pix will only have one connection going out to the internet or wherever. but my thinking was that if the pix had two global address mapped to one internal and if the outside user were to initiate a connection it would obviously send it to the the global address and the pix would take the destination address and translate to the apropriate internal address. it don't matter how many global address there is pointing to the internal device the pix would know what to translate it to. thats if a translation where to be coming from the outside, but from the inside to the outside is what got me thinking. if the inside host had many global address and it would initiate a connection to the outside which one would it use. would it use the first one on the xlate table??? that would be my guess if the pix were to support it, but i guess it don't.
There is a difference between how router & PIX manage translation. In PIX, it manages it per session, TCP/UDP. In router, as you know, it's purely packet based, then the router only maintain IP translation table, with a timeout if it's dyn translation. Example: with a router you can send a UDP packet going out just to permit the router to create the translation. After that, any incoming connection can take place between outside(global address) and inside (local address) based on the translation created by UDP packet.
But, with the PIX, it's here where it's interesting, or not really, this box manages translation by level 4 session and by direction (incoming or outgoing) then you have to indicate incoming translation independently of outgoing translation. When a TCP connection is established, trafic can pass both direction only for this specific session even if you permit only outgoing connection. PIX make is decision on the session initiation phase.
Then, your thinking about incoming connection is right.
About outgoing connection, you should manually define which global address a host or any hosts in a specific subnet will use. See the pair commands Global (apply to the outside interface)/NAT (apply to the internal interface).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :