Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Same static outside IP address on multiple interfaces

I have a PIX 525 with several interfaces protecting three inside networks ("A", "B", and "C") and connecting to three outside networks ("X", "Y", and "Z"). I also have a limited number of /29 subnets for public address space, with no possiblity of more.

One of the /29 networks is used to provide static NATs for various servers on the inside interfaces. Right now, there is a one-to-one correlation between a public NAT IP address and an inside server IP address. However, four of the inside addresses are on one inside interface, and only accessed by one specific outside interface; the other two inside addresses are on a different inside interface, and only accessed by an outside interface different from the first four.

Maybe a schematic will help:

intf "Y" ----------> intf "B"

------------------+---------------

149.83.51.169 ---> 10.17.253.100

149.83.51.170 ---> 10.17.253.101

149.83.51.171 ---> 10.17.253.102

149.83.51.172 ---> 10.17.253.110

intf "Z" ----------> intf "A"

------------------+---------------

149.83.51.173 ---> 10.16.254.157

149.83.51.174 ---> 10.16.254.232

This is encoded by the following statements:

static (intfA,intfZ) 149.83.51.173 10.16.254.157 netmask 255.255.255.255 0 0

static (intfA,intfZ) 149.83.51.174 10.16.254.232 netmask 255.255.255.255 0 0

static (intfB,intfY) 149.83.51.169 10.17.253.100 netmask 255.255.255.255 0 0

static (intfB,intfY) 149.83.51.170 10.17.253.101 netmask 255.255.255.255 0 0

static (intfB,intfY) 149.83.51.171 10.17.253.102 netmask 255.255.255.255 0 0

static (intfB,intfY) 149.83.51.172 10.17.253.110 netmask 255.255.255.255 0 0

I now need two more static NATs between "B" and "Y". My question is can I reuse .173 and .174 between "B" and "Y"? The new schema would look like the following:

intf "Y" ----------> intf "B"

------------------+---------------

149.83.51.169 ---> 10.17.253.100

149.83.51.170 ---> 10.17.253.101

149.83.51.171 ---> 10.17.253.102

149.83.51.172 ---> 10.17.253.110

149.83.51.173 ---> 10.17.253.213

149.83.51.174 ---> 10.17.253.214

intf "Z" ----------> intf "A"

------------------+---------------

149.83.51.173 ---> 10.16.254.157

149.83.51.174 ---> 10.16.254.232

and be implemented as follows:

static (intfA,intfZ) 149.83.51.173 10.16.254.157 netmask 255.255.255.255 0 0

static (intfA,intfZ) 149.83.51.174 10.16.254.232 netmask 255.255.255.255 0 0

static (intfB,intfY) 149.83.51.169 10.17.253.100 netmask 255.255.255.255 0 0

static (intfB,intfY) 149.83.51.170 10.17.253.101 netmask 255.255.255.255 0 0

static (intfB,intfY) 149.83.51.171 10.17.253.102 netmask 255.255.255.255 0 0

static (intfB,intfY) 149.83.51.172 10.17.253.110 netmask 255.255.255.255 0 0

static (intfB,intfY) 149.83.51.173 10.17.253.213 netmask 255.255.255.255 0 0

static (intfB,intfY) 149.83.51.174 10.17.253.214 netmask 255.255.255.255 0 0

Can this be done?

4 REPLIES
Cisco Employee

Re: Same static outside IP address on multiple interfaces

No. Unless you use static PAT, you cannot create multiple static commands with the same global IP addresses.

Check the link below for more information:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694

Franco Zamora

Gold

Re: Same static outside IP address on multiple interfaces

your question is very interesting. i was thinking the pix can't cope with this scenario. but having a second thought, it should work in theory.

anyhow, i did a test at the lab and it works fine. i guess the catch is that those 4 interfaces can't be overlapped.

New Member

Re: Same static outside IP address on multiple interfaces

What effect, if any, did it have on the xlate table? One concern I have is that IOS will simply find the first entry in the table and indiscriminately translate all instances of the overlapping NATs to the first inside translation it finds.

Gold

Re: Same static outside IP address on multiple interfaces

the xlate will show 2 entries for the public ip.

e.g.

Global 203.1.1.1 Local 192.168.1.100

Global 203.1.1.1 Local 192.168.2.100

when i was testing it at the lab, pix was able to cope with the scenario. i guess the pix will again look at the static statements in order to determine the nat/pat and next hop.

109
Views
0
Helpful
4
Replies
CreatePlease login to create content