Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static NAT

On PIX 6.3(4), can one have 2 incoming traffic from differnent external IPs NAT to a single internal IP?

E.g., x.x.x.1 -> y.y.y.y

x.x.x.2 -> y.y.y.y

6 REPLIES
Gold

Re: Static NAT

it is feasible if they have protocol/port specified, otherwise the pix will not be able to distinuish between the two static statement for outbound traffic.

imagine a packet originated from y.y.y.y destined for the internet. pix receives the packet and look it up with the static statements. now, pix will be confused and not able to determine which public ip should be applied.

on the other hand, if they have protocol or port specified, then it's feasible.

e.g.

x.x.x.1 for tcp 80

x.x.x.2 for tcp 25

static (inside,outside) tcp x.x.x.1 80 y.y.y.y 80 netmask 255.255.255.255

static (inside,outside) tcp x.x.x.2 25 y.y.y.y 25 netmask 255.255.255.255

New Member

Re: Static NAT

Thanks. In PDM I need to remove the NAT that is set in Hosts/Networks, and manually configure NAT in Translation Rules?

New Member

Re: Static NAT

Actually, I wanted slight different change.

x.x.x.1 to y.y.y.1 for port 443

x.x.x.1 to y.y.y.2 for port 80

but y.y.y.2 get mapped to y.y.y.1 on PIX. Is this possible?

New Member

Re: Static NAT

Actually, I wanted slight different change.

x.x.x.1 to y.y.y.1 for port 443

x.x.x.1 to y.y.y.2

but y.y.y.2 get mapped to y.y.y.1 for port 80. Is this possible?

Gold

Re: Static NAT

it would be better if we put some numbering.

let's say:

1.1.1.1 (public) --> 192.168.1.1 (private) for 443

1.1.1.1 (pbulic) --> 192.168.1.2 (private) for 80

this is feasible.

however, not so sure what you mean by "y.y.y.2 get mapped to y.y.y.1 for port 80".

New Member

Re: Static NAT

Old Flow:

access-list outside-int permit tcp any host 209.x.x.1 eq https

access-list outside-int permit tcp any host 209.x.x.2 eq http

static (dmz-int,outside-int) tcp 209.x.x.1 80 192.168.1.1 80 netmask 255.255.255.255 0 0

static (dmz-int,outside-int) tcp 209.x.x.2 443 192.168.1.2 443 netmask 255.255.255.255 0 0

New Flow:

User will still hit 209.x.x.1 for http but somehow it is mapped to 209.x.x.2 for http.

Is this possible?

131
Views
0
Helpful
6
Replies