https://community.cisco.com/t5/network-security/pix-7-0-4-nat-issue/m-p/448519#M528492 <HTML><HEAD></HEAD><BODY><P>providing different static statements are used for different ports, you can configure port forwarding instead of one-to-one mapping.</P><P></P><P>e.g.</P><P>static (dmz,outside) tcp 172.16.1.10 9443 192.168.3.3 9443 netmask 255.255.255.255</P><P>static (dmz,outside) tcp 172.16.1.11 9080 192.168.3.3 9080 netmask 255.255.255.255</P></BODY></HTML> Tue, 17 Jan 2006 02:47:40 GMT jackko 2006-01-17T02:47:40Z https://community.cisco.com/t5/network-security/pix-7-0-4-nat-issue/m-p/448518#M528489 <P>I recently upgraded from version 6.3.4 to 7.0.4 on a new PIX firewall. Now it appears that mapping multiple outside IP addresses to a single inside IP, which was supported in 6.3.4, is not longer supported in 7.0.4. Is this true, and if so, are there any workarounds? Thanks.</P><P></P><P>PIX 6.3.4 Config</P><P>----------------</P><P>access-list acl_DMZ_in permit tcp 192.168.3.3 255.255.255.0 any eq 80 </P><P>access-list acl_DMZ_in permit tcp 192.168.3.3 255.255.255.0 any eq 443 </P><P>access-list acl_DMZ_in permit tcp host 192.168.3.3 host 10.250.225.25 eq 9080</P><P>access-list acl_DMZ_in permit tcp host 192.168.3.3 host 10.250.225.25 eq 9443</P><P>static (DMZ,outside) 172.16.1.10 192.168.3.3 netmask 255.255.255.255 0 0 </P><P>static (DMZ,outside) 172.16.1.11 192.168.3.3 netmask 255.255.255.255 0 0</P><P>static (DMZ,outside) 172.16.1.12 192.168.3.3 netmask 255.255.255.255 0 0</P><P></P><P>PIX 7.0.4 Config</P><P>----------------</P><P>access-list acl_DMZ_in extended permit tcp 192.168.3.3 255.255.255.0 any eq 80 </P><P>access-list acl_DMZ_in extended permit tcp 192.168.3.3 255.255.255.0 any eq 443 </P><P>access-list acl_DMZ_in extended permit tcp host 192.168.3.3 host 10.250.225.25 eq 9080</P><P>access-list acl_DMZ_in extended permit tcp host 192.168.3.3 host 10.250.225.25 eq 9443</P><P>static (DMZ,outside) 172.16.1.10 192.168.3.3 netmask 255.255.255.255 0 0 </P><P></P><P>config term</P><P>static (DMZ,outside) 172.16.1.11 192.168.3.3 netmask 255.255.255.255 0 0</P><P>ERROR: duplicate of existing static</P><P> DMZ-1:192.168.3.3 to outside:172.16.1.11 netmask 255.255.255.255</P><P></P><P></P> Fri, 21 Feb 2020 08:38:50 GMT https://community.cisco.com/t5/network-security/pix-7-0-4-nat-issue/m-p/448518#M528489 dspdss 2020-02-21T08:38:50Z https://community.cisco.com/t5/network-security/pix-7-0-4-nat-issue/m-p/448519#M528492 <HTML><HEAD></HEAD><BODY><P>providing different static statements are used for different ports, you can configure port forwarding instead of one-to-one mapping.</P><P></P><P>e.g.</P><P>static (dmz,outside) tcp 172.16.1.10 9443 192.168.3.3 9443 netmask 255.255.255.255</P><P>static (dmz,outside) tcp 172.16.1.11 9080 192.168.3.3 9080 netmask 255.255.255.255</P></BODY></HTML> Tue, 17 Jan 2006 02:47:40 GMT https://community.cisco.com/t5/network-security/pix-7-0-4-nat-issue/m-p/448519#M528492 jackko 2006-01-17T02:47:40Z https://community.cisco.com/t5/network-security/pix-7-0-4-nat-issue/m-p/448520#M528500 <HTML><HEAD></HEAD><BODY><P>I've just had a response back from TAC on this exact issue</P><P></P><P>multiple to 1 NAT is not, and has never been supported in PIX/ASA</P><P></P><P>wrt it previously working in 6.3.4, (and other versions.) TAC response is "may have worked.... but it is not guaranteed to work all the time".</P><P></P></BODY></HTML> Tue, 17 Jan 2006 06:54:01 GMT https://community.cisco.com/t5/network-security/pix-7-0-4-nat-issue/m-p/448520#M528500 walter_muller 2006-01-17T06:54:01Z