https://community.cisco.com/t5/network-security/pix-to-same-nat-destination-address-from-two-networks/m-p/362408#M559868 <P>Cisco PIX 515E DMZ.</P><P></P><P>Is it possible to setup two static NAT's leading to the same public/virtual address, from two different interfaces.</P><P></P><P>In english: We have a server in the DMZ that needs to be reached from the Internet and from the Internal network, but on the same public IP address, then NAT'd to the real address of the server. We can do one interface using the static (inside, outside) command, but can we do this again on another interface to the same addresses?</P> Fri, 21 Feb 2020 07:47:38 GMT adam.stewart 2020-02-21T07:47:38Z https://community.cisco.com/t5/network-security/pix-to-same-nat-destination-address-from-two-networks/m-p/362408#M559868 <P>Cisco PIX 515E DMZ.</P><P></P><P>Is it possible to setup two static NAT's leading to the same public/virtual address, from two different interfaces.</P><P></P><P>In english: We have a server in the DMZ that needs to be reached from the Internet and from the Internal network, but on the same public IP address, then NAT'd to the real address of the server. We can do one interface using the static (inside, outside) command, but can we do this again on another interface to the same addresses?</P> Fri, 21 Feb 2020 07:47:38 GMT https://community.cisco.com/t5/network-security/pix-to-same-nat-destination-address-from-two-networks/m-p/362408#M559868 adam.stewart 2020-02-21T07:47:38Z https://community.cisco.com/t5/network-security/pix-to-same-nat-destination-address-from-two-networks/m-p/362409#M559870 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I'm pretty certain you can't NAT one IP address to 2 different interfaces. If you are talking about a webserver or similar where you are picking up the public IP address by means of external DNS, you can use the DNS doctoring feature on the pix by adding the 'dns' keyword to your static between the DMZ and outside. When the DNS reply to your inside client passes back through the pix, it will change the public IP address to the DMZ ip address, as described in </P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801cd841.html#wp1026694" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801cd841.html#wp1026694</A></P><P></P><P>Hope that helps</P><P></P><P>Kev</P></BODY></HTML> Wed, 08 Dec 2004 14:26:42 GMT https://community.cisco.com/t5/network-security/pix-to-same-nat-destination-address-from-two-networks/m-p/362409#M559870 kagodfrey 2004-12-08T14:26:42Z https://community.cisco.com/t5/network-security/pix-to-same-nat-destination-address-from-two-networks/m-p/362410#M559871 <HTML><HEAD></HEAD><BODY><P>The best way to do this is to carve out a small subnet of private ip space for your dmz and don't nat to the dmz from either source. For example; if you have a /28 from your ISP divide it into two /29 networks, one on the outside of you pix and one on the DMZ. If you don't have enough address space (and who does) you will be forced to use workarounds like the dns doctoring or provide an internal dns server with an A record that is different from the internet A record.</P></BODY></HTML> Wed, 08 Dec 2004 15:24:35 GMT https://community.cisco.com/t5/network-security/pix-to-same-nat-destination-address-from-two-networks/m-p/362410#M559871 jboyer 2004-12-08T15:24:35Z https://community.cisco.com/t5/network-security/pix-to-same-nat-destination-address-from-two-networks/m-p/362411#M559872 <HTML><HEAD></HEAD><BODY><P>This looks like it might be the answer, no NAT. Need to check my range.</P><P></P><P>We cannot use DNS at all because the client has a hard coded IP address only... eek!</P><P></P><P>Thanks</P></BODY></HTML> Fri, 10 Dec 2004 13:21:50 GMT https://community.cisco.com/t5/network-security/pix-to-same-nat-destination-address-from-two-networks/m-p/362411#M559872 adam.stewart 2004-12-10T13:21:50Z