Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two Outside Addresses pointing to one inside address?

static (inside,outside) tcp 192.168.1.1 1234 10.1.0.12 4321 netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.1.2 1234 10.1.0.12 4123 netmask 255.255.255.255 0 0

When I try to put in the second Static I get an Overlap Error.

Is there no way to oave two outside addresses point to one inside address?

Thanks,

Scott<-

4 REPLIES
Cisco Employee

Re: Two Outside Addresses pointing to one inside address?

Those commands look OK, I just cut/pasted them into my PIX and they took no problems. The outside addresses you specify are 192.168.1.1 and 192.168.1.2, did you mean you're trying to add the same outside address in twice?

If that is the case, then no, you can't do this on the PIX. Think about when the PIX sees the traffic for 192.168.1.1 and port 1234, which inside host is it supposed to send it to? It has no idea which one you actually want, and no, it won't load-balance between the two.

What you have shown us above though seems to be OK, as long as the ports are different then the PIX shouldn't have any problems.

New Member

Re: Two Outside Addresses pointing to one inside address?

It is not working... Is it because one is not defined with ports?

I get the following Error:

pix (config)# static (inside,outside) Server-exch_o Server-exch_i netmask 255.255.255.255 0 0

pix (config)# static (inside,outside) tcp Server-owa_o 5578 Server-exch_i www netmask 255.255.255.255 0 0

ERROR: static overlaps with Server-exch_o to Server-exch_i

Thanks,

Scott<-

Cisco Employee

Re: Two Outside Addresses pointing to one inside address?

This is different to what you originally said, and yes, this will not work the way you are doing it cause as the PIX is telling you, they overlap.

Statics are always read from top-down and are a first-match basis, just like a router access-list. If you want the above to work, you have to put the most-specific match in first, as follows:

pix(config)# static (inside,outside) tcp 1.1.1.1 5578 10.1.1.1 www netmask 255.255.255.255

pix(config)# static (inside,outside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255

No error. This should work for you.

New Member

Re: Two Outside Addresses pointing to one inside address?

Yes I did enter them the other way and they entered into the Config without error.

Though Now It does not work. I cant get to the Web server when I enter port 5578.

I opend a case with the TAC and they said that the Static Commands are not that robust and doing multiple port redirection with a static of the address with the entire port space will not work reliably. They have tried it and it will sometimes use the first specific match and then sometimes use the second not as specific match.

So I did a work around on the server and am using host headers with the proxy port. Seems to be working fine...

Thanks for your help!

Scott<-

252
Views
0
Helpful
4
Replies
CreatePlease login to create content