Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1246
Views
0
Helpful
3
Replies

PIX: static one-to-many

d.valsania
Level 1
Level 1

‎11-24-2006 10:11 AM - edited ‎03-11-2019 02:00 AM

hi

i'm trying to substitute a router C3640 with a pix-525 (ver 7.2.2) but i can't map multiple outside addresses to one internal address

in my router config i have:

ip nat inside source static tcp 192.168.5.5 80 1.1.1.1 80 extendable

ip nat inside source static tcp 192.168.5.5 80 1.1.1.2 80 extendable

but when i try to add these lines in my pix i get an error message:

static (inside,outside) tcp 1.1.1.1 80 192.168.5.5 80 netmask 255.255.255.255

static (inside,outside) tcp 1.1.1.2 80 192.168.5.5 80 netmask 255.255.255.255

ERROR:static exist duplicate of existing static

any advise is appreciated

davide

Labels:
0 Helpful
3 Replies 3

a.kiprawih
Level 7
Level 7

‎11-24-2006 02:41 PM

It's because PIX does not allowed port re-direction from one Public IP to multiple internal IP using same port no. It will work as long as you mapped them to a different port, say, 8080, 8081, etc.

static (inside,outside) tcp 192.168.1.10 www 10.1.1.2 www netmask 255.255.255.255

static (inside,outside) tcp 192.168.1.10 81 10.1.1.2 81 netmask 255.255.255.255

static (inside,outside) tcp 192.168.1.10 82 10.1.1.2 82 netmask 255.255.255.255

static (inside,outside) tcp 192.168.1.10 telnet 10.1.1.2 telnet netmask 255.255.255.255

If you have multiple web servers, you have to change the www service port on each server to the same port no as stated/configured in static command.

The ACL on outside interface should be:

access-list outside permit tcp any host 192.168.1.10 eq www

access-list outside permit tcp any host 192.168.1.10 eq 81

access-list outside permit tcp any host 192.168.1.10 eq 82

access-list outside permit tcp any host 192.168.1.10 eq telnet

access-group outside in interface outside

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

HTH

AK

0 Helpful

d.valsania
Level 1
Level 1
In response to a.kiprawih

‎11-24-2006 10:53 PM

hi,

thanks for your fast reply!

but i can't change nothing

i must only replace the c3640 (active from 2 years but with a constant cpu load of 90%) with a more performance firewall pix

the customer have only one server web and he map it with 100/200 external ip address

davide

0 Helpful

Massimo Baschieri
Level 3
Level 3
In response to d.valsania

‎11-25-2006 10:52 PM

If I recall correctly this restriction was not in place with Pix 6.x releases, don't know if it works good or what.

If you need to keep the current release you can take a look to policy-nat, maybe it's suitable for your needs.

Bye,

Massimo.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card