https://community.cisco.com/t5/network-security/pix-acl-static-advice-help-required/m-p/284948#M565585 <HTML><HEAD></HEAD><BODY><P>I'm afraid you can't map the same one port from the outside interface IP address to two ports on seperate IP addresses on the inside. You would either have to use an additional address from the range available outside the pix,</P><P>access-list inbound permit tcp host [external_IP_2] host [another_outside_ip] eq 3389 </P><P>static (inside,outside) tcp [another_outside_ip&gt; 3389 [inside_srv2 ip] 3389 netmask 255.255.255.255 0 0 </P><P>or change the number of the second port</P><P>access-list inbound permit tcp host [external_IP_2] host [outside_intf_IP_of_pix] eq 12321</P><P>static (inside,outside) tcp [outside_intf_IP_of_pix&gt; 12321 [inside_srv2 ip] 3389 netmask 255.255.255.255 0 0 </P><P></P><P>Hth</P><P></P><P>Kev</P></BODY></HTML> Tue, 25 May 2004 21:18:53 GMT kagodfrey 2004-05-25T21:18:53Z https://community.cisco.com/t5/network-security/pix-acl-static-advice-help-required/m-p/284947#M565584 <P>I am trying to add a 2nd ACL and static on my PIX to allow external access for Remote Desktop Protocol (RDP) on port 3389.</P><P></P><P>At the moment there is a ACL and static configured for access to one internal server via RDP on port 3389, but when I try to configure a 2nd ACL/static for a external client to access a 2nd server on the inside via RDP, I get a duplicate static error!</P><P></P><P>Here is the config at the moment:</P><P></P><P>access-list inbound permit tcp host [external_IP_1] host [outside_intf_IP_of_pix] eq 3389</P><P>static (inside,outside) tcp [outside_intf_IP_of_pix] 3389 [inside_srv1_ip] 3389 netmask 255.255.255.255 0 0</P><P></P><P>the above configuration works perfectly, but if I try adding the following to the above configuration then I get the duplicat error message:</P><P></P><P>access-list inbound permit tcp host [external_IP_2] host [outside_intf_IP_of_pix] eq 3389</P><P>static (inside,outside) tcp [outside_intf_IP_of_pix&gt; 3389 [inside_srv2 ip] 3389 netmask 255.255.255.255 0 0 </P><P></P><P>Both of these servers (srv1 and srv2) are on the same inside subnet. Can someone help me out with this or point me to relevant information/document.</P><P></P><P>Thanks in advance for any assistance.</P><P></P><P></P> Fri, 21 Feb 2020 07:25:09 GMT https://community.cisco.com/t5/network-security/pix-acl-static-advice-help-required/m-p/284947#M565584 admin_2 2020-02-21T07:25:09Z https://community.cisco.com/t5/network-security/pix-acl-static-advice-help-required/m-p/284948#M565585 <HTML><HEAD></HEAD><BODY><P>I'm afraid you can't map the same one port from the outside interface IP address to two ports on seperate IP addresses on the inside. You would either have to use an additional address from the range available outside the pix,</P><P>access-list inbound permit tcp host [external_IP_2] host [another_outside_ip] eq 3389 </P><P>static (inside,outside) tcp [another_outside_ip&gt; 3389 [inside_srv2 ip] 3389 netmask 255.255.255.255 0 0 </P><P>or change the number of the second port</P><P>access-list inbound permit tcp host [external_IP_2] host [outside_intf_IP_of_pix] eq 12321</P><P>static (inside,outside) tcp [outside_intf_IP_of_pix&gt; 12321 [inside_srv2 ip] 3389 netmask 255.255.255.255 0 0 </P><P></P><P>Hth</P><P></P><P>Kev</P></BODY></HTML> Tue, 25 May 2004 21:18:53 GMT https://community.cisco.com/t5/network-security/pix-acl-static-advice-help-required/m-p/284948#M565585 kagodfrey 2004-05-25T21:18:53Z