Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX 515 & Multiple Static NATs

This is beating me up. If anyone has a suggestion, please help.

I need web services to NAT to two different web servers behind the inside interface. Below are portions of my config. The NAT 0 is there becasue this is a PPTP and IPSec endpoint as well.

My issue is that port 80 and port 3389 access do not work to 200.200.200.2 but all access works to 200.200.200.1. I'm scratching my head. I also have the pix configured as a PPTP and IPSec endpoint if that matters.

==============

access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list 101 permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list ipsec permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255 .0

access-list 102 permit icmp any any

access-list 102 permit tcp any host 200.200.200.1 eq www

access-list 102 permit tcp any host 200.200.200.1 eq 3389

access-list 102 permit tcp any host 200.200.200.1 eq smtp

access-list 102 permit tcp any host 200.200.200.2 eq 3389

access-list 102 permit tcp any host 200.200.200.2 eq www

ip address outside 200.200.200.1 255.255.255.0

ip address inside 192.168.100.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

static (inside,outside) tcp 200.200.200.1 www 192.168.100.24 www netmask 255.255

.255.255 0 0

static (inside,outside) tcp 200.200.200.1 smtp 192.168.100.24 smtp netmask 255.2

55.255.255 0 0

static (inside,outside) tcp 200.200.200.1 3389 192.168.100.24 3389 netmask 255.2

55.255.255 0 0

static (inside,outside) 200.200.200.2 192.168.100.25 netmask 255.255.255.255 0 0

access-group 102 in interface outside

1 REPLY
Community Member

Re: PIX 515 & Multiple Static NATs

Dear PAUL STRAYHORN

Few considerations about your configuration

1.You does not need to have 3 static translations slots for the NAT 200.200.200.1 ;its better to have only one

ex: static (inside,outside) 200.200.200.1 192.168.100.24 netmask 255.255.255.255

and control the traffic with the access-lists

2.You does not have translation slots ( NAT Defined ) for the IP 200.200.200.2.

Thats what its not working !

Make one with the local IP of the other web server

ex: static (inside,outside) 200.200.200.2 netmask 255.255.255.255

124
Views
0
Helpful
1
Replies
CreatePlease to create content