Solved: Pix Nat Question

kuldeep.kaur · ‎08-29-2011

Hi Guys,

On my pix all the internal hosts are natted to the pix outside interface using nat and global command.

What I want to do know is to map two global ip address to one single host on the inside. How should I configure this? Shall I use two static's ? will the pix accept for example as follows:

Static (inside,outside) 102.1.1.1 10.1.1.1 netmask 255.255.255.255

static (inside, outside) 102.1.1.2 10.1.1.1 netmask 255.255.255.255

Thank you guys for any help on this.

Cheers

varrao · ‎08-29-2011

HI Kuldeep,

Yes, static policy nat is a workaround for this, I did a lab-recreate for it a while ago, but I was not successful with the 7.x code, as soon as I upgarded to ASA 8.x, it was working fine, although you can use this thread as a reference:

https://supportforums.cisco.com/thread/2101229?tstart=30

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

Jennifer Halim · ‎08-29-2011

Unfortunately this is not a supported configuration.

You won't be able to NAT 2 different global IP Addresses to the same internal/inside host.

Jennifer Halim · ‎08-29-2011

You can however perform a static PAT if it will be used for 2 different applications/ports.

Eg:

102.1.1.1 for SMTP (port 25)

102.1.1.2 for HTTP (port 80)

static (inside,outside) tcp 102.1.1.1 25 10.1.1.1 25 netmask 255.255.255.255

static (inside, outside) tcp 102.1.1.2 80 10.1.1.1 80 netmask 255.255.255.255

kuldeep.kaur · ‎08-29-2011

Hi Jennifer,

So there is no other way of doing this?

Tks

Jennifer Halim · ‎08-29-2011

Apart from the static PAT as advised earlier, unfortunately there is no other way.

kuldeep.kaur · ‎08-29-2011

Can I use Static Policy Nat ? Will it support this configuraiton ?

Jennifer Halim · ‎08-29-2011

How do you propose to use the static policy NAT?

As long as it's not overlapping, it should be OK.

kuldeep.kaur · ‎08-29-2011

Hi Jennifer,

For example :

access-list policy_nat_web1 extended permit ip host 172.16.1.3 any

access-list policy_nat_web2 extended permit ip host 172.16.1.3 any

static (inside,outside) 172.16.1.1 access-list policy_nat_web1

static (inside,outside) 172.16.1.2 access-list policy_nat_web2

Will the above work ?

Jennifer Halim · ‎08-29-2011

No, that will not work because you use "any" which is essentially the same as what you are trying to do with:

static (inside,outside) 172.16.1.1 172.16.1.3

static (inside,outside) 172.16.1.2 172.16.1.3

which is not supported.

kuldeep.kaur · ‎08-29-2011

Hi Jennifer,

I am bit confused now. If you dont mind could you please tell me the example in the following link is the same as what I am trying to configure :

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml

Just want to know the difference between mine request and the example in the above link.

Thank you very much for your help.

Tks

varrao · ‎08-29-2011

HI Kuldeep,

Yes, static policy nat is a workaround for this, I did a lab-recreate for it a while ago, but I was not successful with the 7.x code, as soon as I upgarded to ASA 8.x, it was working fine, although you can use this thread as a reference:

https://supportforums.cisco.com/thread/2101229?tstart=30

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

kuldeep.kaur · ‎08-29-2011

Hi Varun / Jennifer,

Thank you very much for your help. Will try this and see how it goes. (FYI running version 7.x)