01-21-2006 03:03 PM - edited 03-09-2019 01:42 PM
Hi there!
I have a PIX 515e with Failover and 6 interfaces: Inside, outside, dmz1, dmz2, dmz3 and dmz4.
My problem is: I have a server and I need to make a static nat from inside to dmz2 using two diferents addresses. But, its returns that this new static cannot be configured, as it overlaps with a existing rule....etc..
What can I do to work around this problem?? Is that possible to configure one NAT like this 1 address <--> 2 addresses using insid interface and just one DMZ interface???...
Thanks for the help!
Adriano Porcaro
Cisco CCNA
01-22-2006 02:36 PM
it's only feasible if those 2 addresses are used for different protocol/port.
e.g.
static (inside,dmz2) tcp 1.1.1.1 3389 2.2.2.2 3389 netmask 255.255.255.255
static (inside,dmz2) tcp 1.1.1.1 25 2.2.2.3 25 netmask 255.255.255.255
01-23-2006 04:39 AM
Thanks..
in my case, on of the connection the tcp/port of the source is any and the destination port is the same for all connections, like this.
e.g.
static (inside,dmz2) tcp 1.1.1.1 3389 2.2.2.2 3389 netmask 255.255.255.255
static (inside,dmz2) tcp 1.1.1.1 any 2.2.2.3 52071 netmask 255.255.255.255
Do you know if it works ???
Regards
Adriano Porcaro
01-23-2006 03:35 PM
i don't think it's feasible. in fact, the second statement itself won't be accepted by the pix.
having a second read of the original post. one inside servers need to be appeared as two servers from the dmz host point of view, right?! just wondering if both traffic are initiated from the dmz or not.
if not, you may try:
static (inside,dmz) tcp 1.1.1.1 3389 192.168.1.100 3389 netmask 255.255.255.255
nat (inside) 99 192.168.1.100 255.255.255.255
global (dmz) 99 1.1.1.2
the catch is that dmz hosts will be able to initiate a connection to 1.1.1.1 with port 3389, and see the rest of the traffic originated from 192.168.1.100 as 1.1.1.2.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: