Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
333
Views
0
Helpful
6
Replies

Static NAT

normanzhang
Level 1
Level 1

‎12-03-2005 05:43 PM - edited ‎03-09-2019 01:14 PM

On PIX 6.3(4), can one have 2 incoming traffic from differnent external IPs NAT to a single internal IP?

E.g., x.x.x.1 -> y.y.y.y

x.x.x.2 -> y.y.y.y

Labels:
0 Helpful
6 Replies 6

jackko
Level 7
Level 7

‎12-03-2005 06:58 PM

it is feasible if they have protocol/port specified, otherwise the pix will not be able to distinuish between the two static statement for outbound traffic.

imagine a packet originated from y.y.y.y destined for the internet. pix receives the packet and look it up with the static statements. now, pix will be confused and not able to determine which public ip should be applied.

on the other hand, if they have protocol or port specified, then it's feasible.

e.g.

x.x.x.1 for tcp 80

x.x.x.2 for tcp 25

static (inside,outside) tcp x.x.x.1 80 y.y.y.y 80 netmask 255.255.255.255

static (inside,outside) tcp x.x.x.2 25 y.y.y.y 25 netmask 255.255.255.255

0 Helpful

normanzhang
Level 1
Level 1
In response to jackko

‎12-03-2005 08:56 PM

Thanks. In PDM I need to remove the NAT that is set in Hosts/Networks, and manually configure NAT in Translation Rules?

0 Helpful

normanzhang
Level 1
Level 1
In response to jackko

‎12-17-2005 06:09 PM

Actually, I wanted slight different change.

x.x.x.1 to y.y.y.1 for port 443

x.x.x.1 to y.y.y.2 for port 80

but y.y.y.2 get mapped to y.y.y.1 on PIX. Is this possible?

0 Helpful

normanzhang
Level 1
Level 1
In response to normanzhang

‎12-17-2005 08:12 PM

Actually, I wanted slight different change.

x.x.x.1 to y.y.y.1 for port 443

x.x.x.1 to y.y.y.2

but y.y.y.2 get mapped to y.y.y.1 for port 80. Is this possible?

0 Helpful

jackko
Level 7
Level 7
In response to normanzhang

‎12-18-2005 08:34 PM

it would be better if we put some numbering.

let's say:

1.1.1.1 (public) --> 192.168.1.1 (private) for 443

1.1.1.1 (pbulic) --> 192.168.1.2 (private) for 80

this is feasible.

however, not so sure what you mean by "y.y.y.2 get mapped to y.y.y.1 for port 80".

0 Helpful

normanzhang
Level 1
Level 1
In response to jackko

‎12-19-2005 08:38 AM

Old Flow:

access-list outside-int permit tcp any host 209.x.x.1 eq https

access-list outside-int permit tcp any host 209.x.x.2 eq http

static (dmz-int,outside-int) tcp 209.x.x.1 80 192.168.1.1 80 netmask 255.255.255.255 0 0

static (dmz-int,outside-int) tcp 209.x.x.2 443 192.168.1.2 443 netmask 255.255.255.255 0 0

New Flow:

User will still hit 209.x.x.1 for http but somehow it is mapped to 209.x.x.2 for http.

Is this possible?

0 Helpful
Customers Also Viewed These Support Documents