Translation rule with overlaps.. need help!

aporcaro01 · ‎01-21-2006

Hi there!

I have a PIX 515e with Failover and 6 interfaces: Inside, outside, dmz1, dmz2, dmz3 and dmz4.

My problem is: I have a server and I need to make a static nat from inside to dmz2 using two diferents addresses. But, its returns that this new static cannot be configured, as it overlaps with a existing rule....etc..

What can I do to work around this problem?? Is that possible to configure one NAT like this 1 address <--> 2 addresses using insid interface and just one DMZ interface???...

Thanks for the help!

Adriano Porcaro

Cisco CCNA

jackko · ‎01-22-2006

it's only feasible if those 2 addresses are used for different protocol/port.

e.g.

static (inside,dmz2) tcp 1.1.1.1 3389 2.2.2.2 3389 netmask 255.255.255.255

static (inside,dmz2) tcp 1.1.1.1 25 2.2.2.3 25 netmask 255.255.255.255

aporcaro01 · ‎01-23-2006

Thanks..

in my case, on of the connection the tcp/port of the source is any and the destination port is the same for all connections, like this.

e.g.

static (inside,dmz2) tcp 1.1.1.1 3389 2.2.2.2 3389 netmask 255.255.255.255

static (inside,dmz2) tcp 1.1.1.1 any 2.2.2.3 52071 netmask 255.255.255.255

Do you know if it works ???

Regards

Adriano Porcaro

jackko · ‎01-23-2006

i don't think it's feasible. in fact, the second statement itself won't be accepted by the pix.

having a second read of the original post. one inside servers need to be appeared as two servers from the dmz host point of view, right?! just wondering if both traffic are initiated from the dmz or not.

if not, you may try:

static (inside,dmz) tcp 1.1.1.1 3389 192.168.1.100 3389 netmask 255.255.255.255

nat (inside) 99 192.168.1.100 255.255.255.255

global (dmz) 99 1.1.1.2

the catch is that dmz hosts will be able to initiate a connection to 1.1.1.1 with port 3389, and see the rest of the traffic originated from 192.168.1.100 as 1.1.1.2.