Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
505
Views
0
Helpful
3
Replies

NAT Question PIX 515E

rfranzke
Level 1
Level 1

‎03-11-2010 08:41 PM - edited ‎03-11-2019 10:20 AM

I have a mail server which I am doing inbound NAT translation on. I translate the public IP of the mailserver to the private IP of the mailserver. I am doingf this using static NAT rules. I am trying to figure out a way to do some kind of policy NAT where I keep the same public address of the mailserver but translate it differently based on what the requesting source IP is. The rule would be something like this:

For connections going to IP 10.10.10.10(mail server public IP) from source IP 12.12.12.12, translate the address to 192.168.0.10

For connections going to IP 10.10.10.10(mail server public IP) from all other source IPs, translate the address to 192.168.0.12

Does anyone know of a way to do this with the PIX 515E? This seems like it should be possible but I cannot see exactly how.

As always thanks for the help here.

Labels:
0 Helpful
3 Replies 3

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-12-2010 08:03 AM

Hi,

Let's say that the idea that you have for your mail server is something like this (asuming 10.10.10.10 is your public IP for the server):

access-list TEST1 permit ip host 12.12.12.12 host 10.10.10.10
access-list TEST2 permit ip any host 10.10.10.10

static (in,out) 10.10.10.10 access-list TEST1
static (in,out) 10.10.10.10 access-list TEST2

This is not going to work, because you will get an overlapping error on the static statements for the same global address.

You cannot use dynamic Policy NAT (using nat and global), because you need to provide access to the server on a highest security interface.

From what I see, there's no way to accomplish this.


Just out of a curiosity, why are you trying such configuration?

Federico.

0 Helpful

rfranzke
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-12-2010 09:14 AM

Wanted to see if this was possible because we had some remote developers testing against our mailserver and the tests they were doing were somehow crashing the mail server software. We asked them to stop but they did not seem to get the message. So I wanted to sort of send them off to another server temporarily and yet keep other traffic flowing normally and without disrupting their tests. Keep from changing IPs. Hokey I know. Maybe there is some other better way to do this. Thanks for the reply.

0 Helpful

joyride_us2
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-12-2010 09:17 AM

No problem. Try this :

access-list TEST1 permit ip host 12.12.12.12 host 10.10.10.10
access-list TEST2 permit ip any host 10.10.10.10

static (in,out) 192.168.0.19  access-list TEST1
static (in,out) 192.168.0.12  access-list TEST2

You may adjust the Access-list with the protocol that you need to let through.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card