pix 6.3.5 two static nat

s.gariepy · ‎11-08-2005

in 6.3.4 i had 2 statics nat on the same local ip address:

static (dmz,outside) 111.111.111.111 10.20.20.6 netmask 255.255.255.255 0 0

static (dmz,outside) 222.222.222.222 10.20.20.6 netmask 255.255.255.255 0 0

i upgrade the pix with 6.3.5, and the second nat was remove and now i'm not able to add it again, the error message is "duplicate entry..."

how to resolve this problem?

sagdas · ‎11-08-2005

The same ip address cannot be mapped to two different ips on same interface.

6.3.4 took the command. Guess there is a bug in that code. But it does not work properly in that code. It kind of confuses the pix on the translation.

The error message which you are getting is right because the pix is not supposed to take the second static for the same ip.

jackko · ‎11-09-2005

imagine a packet orginated from 10.20.20.6 and destined for the internet. now, pix will lookup the static statement and the pix will not be able to determine which one should be used.

just wondering what sort of service is the server running. maybe the workaround is to configure port forwarding.

e.g.

static (dmz,outside) tcp 1.1.1.1 80 10.20.20.6 80 netmask 255.255.255.255

static (dmz,outside) tcp 2.2.2.2 25 10.20.20.6 25 netmask 255.255.255.255

with the sample above, internet service is running with 1.1.1.1; whereas email service is running with 2.2.2.2

joneschw1 · ‎11-10-2005

Why don't you just give the dmz server a secondary internalIP address. That is pretty easy whether the server is Windows or NIX based.