11-24-2006 10:11 AM - edited 03-11-2019 02:00 AM
hi
i'm trying to substitute a router C3640 with a pix-525 (ver 7.2.2) but i can't map multiple outside addresses to one internal address
in my router config i have:
ip nat inside source static tcp 192.168.5.5 80 1.1.1.1 80 extendable
ip nat inside source static tcp 192.168.5.5 80 1.1.1.2 80 extendable
but when i try to add these lines in my pix i get an error message:
static (inside,outside) tcp 1.1.1.1 80 192.168.5.5 80 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.2 80 192.168.5.5 80 netmask 255.255.255.255
ERROR:static exist duplicate of existing static
any advise is appreciated
davide
11-24-2006 02:41 PM
It's because PIX does not allowed port re-direction from one Public IP to multiple internal IP using same port no. It will work as long as you mapped them to a different port, say, 8080, 8081, etc.
static (inside,outside) tcp 192.168.1.10 www 10.1.1.2 www netmask 255.255.255.255
static (inside,outside) tcp 192.168.1.10 81 10.1.1.2 81 netmask 255.255.255.255
static (inside,outside) tcp 192.168.1.10 82 10.1.1.2 82 netmask 255.255.255.255
static (inside,outside) tcp 192.168.1.10 telnet 10.1.1.2 telnet netmask 255.255.255.255
If you have multiple web servers, you have to change the www service port on each server to the same port no as stated/configured in static command.
The ACL on outside interface should be:
access-list outside permit tcp any host 192.168.1.10 eq www
access-list outside permit tcp any host 192.168.1.10 eq 81
access-list outside permit tcp any host 192.168.1.10 eq 82
access-list outside permit tcp any host 192.168.1.10 eq telnet
access-group outside in interface outside
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml
HTH
AK
11-24-2006 10:53 PM
hi,
thanks for your fast reply!
but i can't change nothing
i must only replace the c3640 (active from 2 years but with a constant cpu load of 90%) with a more performance firewall pix
the customer have only one server web and he map it with 100/200 external ip address
davide
11-25-2006 10:52 PM
If I recall correctly this restriction was not in place with Pix 6.x releases, don't know if it works good or what.
If you need to keep the current release you can take a look to policy-nat, maybe it's suitable for your needs.
Bye,
Massimo.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide