Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
520
Views
0
Helpful
1
Replies

PIX 515 & Multiple Static NATs

pstrayhorn
Level 1
Level 1

‎01-07-2003 05:28 AM - edited ‎02-20-2020 10:28 PM

This is beating me up. If anyone has a suggestion, please help.

I need web services to NAT to two different web servers behind the inside interface. Below are portions of my config. The NAT 0 is there becasue this is a PPTP and IPSec endpoint as well.

My issue is that port 80 and port 3389 access do not work to 200.200.200.2 but all access works to 200.200.200.1. I'm scratching my head. I also have the pix configured as a PPTP and IPSec endpoint if that matters.

==============

access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list 101 permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list ipsec permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255 .0

access-list 102 permit icmp any any

access-list 102 permit tcp any host 200.200.200.1 eq www

access-list 102 permit tcp any host 200.200.200.1 eq 3389

access-list 102 permit tcp any host 200.200.200.1 eq smtp

access-list 102 permit tcp any host 200.200.200.2 eq 3389

access-list 102 permit tcp any host 200.200.200.2 eq www

ip address outside 200.200.200.1 255.255.255.0

ip address inside 192.168.100.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

static (inside,outside) tcp 200.200.200.1 www 192.168.100.24 www netmask 255.255

.255.255 0 0

static (inside,outside) tcp 200.200.200.1 smtp 192.168.100.24 smtp netmask 255.2

55.255.255 0 0

static (inside,outside) tcp 200.200.200.1 3389 192.168.100.24 3389 netmask 255.2

55.255.255 0 0

static (inside,outside) 200.200.200.2 192.168.100.25 netmask 255.255.255.255 0 0

access-group 102 in interface outside

0 Helpful
1 Reply 1

bs0000554
Level 1
Level 1

‎01-07-2003 03:15 PM

Dear PAUL STRAYHORN

Few considerations about your configuration

1.You does not need to have 3 static translations slots for the NAT 200.200.200.1 ;its better to have only one

ex: static (inside,outside) 200.200.200.1 192.168.100.24 netmask 255.255.255.255

and control the traffic with the access-lists

2.You does not have translation slots ( NAT Defined ) for the IP 200.200.200.2.

Thats what its not working !

Make one with the local IP of the other web server

ex: static (inside,outside) 200.200.200.2 netmask 255.255.255.255

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card