topic Port based NAT on pix 506e? in Network Security

Port based NAT on pix 506e?

cornishgod — Mon, 11 Mar 2019 12:13:59 GMT

I have Pix sitting between the world and 20 webservers. at the moment my nat rules are simple

82.x.x.1 --> 10.179.0.1 /24

82.x.x.2 --> 10.179.0.2 /24

80/443 allowed anything else dropped

I want to redirect a couple of IPs to another server.

So if source A is requesting access to 82.x.x.1 can I redirect it to 10.179.0.2?

Re: Port based NAT on pix 506e?

acomiskey — Fri, 07 Mar 2008 16:29:48 GMT

Yes, if you used pat...

static (inside,outside) tcp 82.x.x.1 80 10.179.0.1 80 netmask 255.255.255.255

static (inside,outside) tcp 82.x.x.1 443 10.179.0.1 443 netmask 255.255.255.255

static (inside,outside) tcp 82.x.x.2 80 10.179.0.2 80 netmask 255.255.255.255

static (inside,outside) tcp 82.x.x.2 443 10.179.0.2 443 netmask 255.255.255.255

static (inside,outside) tcp 82.x.x.1 10.179.0.2 netmask 255.255.255.255

must be different than 80 or 443.

Re: Port based NAT on pix 506e?

cornishgod — Fri, 07 Mar 2008 16:33:40 GMT

Thats no good what i'm trying to do is redirect some google servers to one of our more beefier servers

Re: Port based NAT on pix 506e?

cisco24x7 — Fri, 07 Mar 2008 19:03:32 GMT

yes, that can be done very easily, if you have

a checkpoint firewalls. With Checkpoint, you

can put in mannual NAT rule, in addition to

static NAT. It can be done in 20 seconds

follows by a policy push.

I think it can be done with Pix via policy NAT

but do not hold me to it.

CCIE Security

Re: Port based NAT on pix 506e?

brettmilborrow — Sat, 08 Mar 2008 00:14:16 GMT

So if I am right, you want inbound connections to the same global address to be translated to more than one internal host on the same port?

If this is correct, then this is only possible if you are using different ports (as shown in the example given above), otherwise I am afraid this is not possible without a device that can load balance.

Re: Port based NAT on pix 506e?

cisco24x7 — Sat, 08 Mar 2008 02:51:36 GMT

With Checkpoint, the solution is a very simple one:

1- create your static NAT,

2- create a manual NAT above the static NAT

as follows:

Source Dest Service translated source translate_dest

Source_A 82.x.x.1 80/443 original 192.168.x.1

place this NAT rule above the auto nat rule

and you will be set.

Easy right?

CCIE Security

Re: Port based NAT on pix 506e?

cornishgod — Mon, 10 Mar 2008 09:52:10 GMT

Thanks for all your advice it looks like it cant be done.

Basically google blam one of sites every now and then which kills a webserver - what I would like to have done:

If destination = server x and source = google then goto to server y

as server y is much older, slower and serves the same site as server x, so we don't mind if that one goes down.

I'm looking in to load balancer now any one recommend a good one?

Re: Port based NAT on pix 506e?

brettmilborrow — Mon, 10 Mar 2008 11:10:00 GMT

Cisco have a product called CCS or Content Switch Solution.

I would recommend looking at the F5 LTM product as well.