PIX to same NAT destination address from two networks

adam.stewart · ‎12-08-2004

Cisco PIX 515E DMZ.

Is it possible to setup two static NAT's leading to the same public/virtual address, from two different interfaces.

In english: We have a server in the DMZ that needs to be reached from the Internet and from the Internal network, but on the same public IP address, then NAT'd to the real address of the server. We can do one interface using the static (inside, outside) command, but can we do this again on another interface to the same addresses?

kagodfrey · ‎12-08-2004

Hi

I'm pretty certain you can't NAT one IP address to 2 different interfaces. If you are talking about a webserver or similar where you are picking up the public IP address by means of external DNS, you can use the DNS doctoring feature on the pix by adding the 'dns' keyword to your static between the DMZ and outside. When the DNS reply to your inside client passes back through the pix, it will change the public IP address to the DMZ ip address, as described in

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801cd841.html#wp1026694

Hope that helps

Kev

jboyer · ‎12-08-2004

The best way to do this is to carve out a small subnet of private ip space for your dmz and don't nat to the dmz from either source. For example; if you have a /28 from your ISP divide it into two /29 networks, one on the outside of you pix and one on the DMZ. If you don't have enough address space (and who does) you will be forced to use workarounds like the dns doctoring or provide an internal dns server with an A record that is different from the internet A record.

adam.stewart · ‎12-10-2004

This looks like it might be the answer, no NAT. Need to check my range.

We cannot use DNS at all because the client has a hard coded IP address only... eek!

Thanks