Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Translation rule with overlaps.. need help!

Hi there!

I have a PIX 515e with Failover and 6 interfaces: Inside, outside, dmz1, dmz2, dmz3 and dmz4.

My problem is: I have a server and I need to make a static nat from inside to dmz2 using two diferents addresses. But, its returns that this new static cannot be configured, as it overlaps with a existing rule....etc..

What can I do to work around this problem?? Is that possible to configure one NAT like this 1 address <--> 2 addresses using insid interface and just one DMZ interface???...

Thanks for the help!

Adriano Porcaro

Cisco CCNA

3 REPLIES
Gold

Re: Translation rule with overlaps.. need help!

it's only feasible if those 2 addresses are used for different protocol/port.

e.g.

static (inside,dmz2) tcp 1.1.1.1 3389 2.2.2.2 3389 netmask 255.255.255.255

static (inside,dmz2) tcp 1.1.1.1 25 2.2.2.3 25 netmask 255.255.255.255

New Member

Re: Translation rule with overlaps.. need help!

Thanks..

in my case, on of the connection the tcp/port of the source is any and the destination port is the same for all connections, like this.

e.g.

static (inside,dmz2) tcp 1.1.1.1 3389 2.2.2.2 3389 netmask 255.255.255.255

static (inside,dmz2) tcp 1.1.1.1 any 2.2.2.3 52071 netmask 255.255.255.255

Do you know if it works ???

Regards

Adriano Porcaro

Gold

Re: Translation rule with overlaps.. need help!

i don't think it's feasible. in fact, the second statement itself won't be accepted by the pix.

having a second read of the original post. one inside servers need to be appeared as two servers from the dmz host point of view, right?! just wondering if both traffic are initiated from the dmz or not.

if not, you may try:

static (inside,dmz) tcp 1.1.1.1 3389 192.168.1.100 3389 netmask 255.255.255.255

nat (inside) 99 192.168.1.100 255.255.255.255

global (dmz) 99 1.1.1.2

the catch is that dmz hosts will be able to initiate a connection to 1.1.1.1 with port 3389, and see the rest of the traffic originated from 192.168.1.100 as 1.1.1.2.

94
Views
0
Helpful
3
Replies