Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
574
Views
0
Helpful
3
Replies

many-to-one static nat

Michael Strnad
Level 1
Level 1

‎12-11-2002 09:25 AM - edited ‎03-09-2019 01:21 AM

Ok you pix guru's out there, I know for a router you can do many-to-one static nat translations, but how would you go about doing that on a pix firewall. I have 2 public addresses that needs to be pointed to my internet device. Thanks in advance.

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎12-11-2002 05:19 PM

You don't. You can't map one internal device to two external addresses, or vice versa. When the packet is returning, how would the PIX know which translation to use?

0 Helpful

Michael Strnad
Level 1
Level 1
In response to gfullage

‎12-11-2002 07:54 PM

You known that I actually ment internal and I put internet on my post, sorry about that. but typically i have set it up with routers to use two global address to one internal address going out at two different interfaces, so I get it there on how what global address it will use. Where as the pix will only have one connection going out to the internet or wherever. but my thinking was that if the pix had two global address mapped to one internal and if the outside user were to initiate a connection it would obviously send it to the the global address and the pix would take the destination address and translate to the apropriate internal address. it don't matter how many global address there is pointing to the internal device the pix would know what to translate it to. thats if a translation where to be coming from the outside, but from the inside to the outside is what got me thinking. if the inside host had many global address and it would initiate a connection to the outside which one would it use. would it use the first one on the xlate table??? that would be my guess if the pix were to support it, but i guess it don't.

thanks for your reply.

0 Helpful

bdube
Level 2
Level 2
In response to Michael Strnad

‎12-11-2002 08:41 PM

Hi Michael,

There is a difference between how router & PIX manage translation. In PIX, it manages it per session, TCP/UDP. In router, as you know, it's purely packet based, then the router only maintain IP translation table, with a timeout if it's dyn translation. Example: with a router you can send a UDP packet going out just to permit the router to create the translation. After that, any incoming connection can take place between outside(global address) and inside (local address) based on the translation created by UDP packet.

But, with the PIX, it's here where it's interesting, or not really, this box manages translation by level 4 session and by direction (incoming or outgoing) then you have to indicate incoming translation independently of outgoing translation. When a TCP connection is established, trafic can pass both direction only for this specific session even if you permit only outgoing connection. PIX make is decision on the session initiation phase.

Then, your thinking about incoming connection is right.

About outgoing connection, you should manually define which global address a host or any hosts in a specific subnet will use. See the pair commands Global (apply to the outside interface)/NAT (apply to the internal interface).

Regards

Ben

0 Helpful
Customers Also Viewed These Support Documents