Hi group!
We have a cisco PIX-515 with Pix 5.1.2 software and my question is this:
I want 2 machines on our internal network to use one common NAT'ed IP-address. When I try to add the second machine to use the same adress the PIX says the the adress is already in use. Is there any way ta accomplish what I want to do?
Thanx in advance!
Regards
Stefan
It depends what you mean.
It is not allowed to use static NAT to map the same external IP address (as a whole) to multiple internal IP addresses. (PIX 6.1 and later allow individual tcp or udp ports to be mapped, and in those versions you can have different external port numbers map to different internal machines, as long as the combination is unique.)
If you do not need static IP addressing, because the two machines are not acting as servers (nothing initiates traffic in -to- them, at least not until they've initiated outgoing traffic to that place), then what you do is create a new NAT pool:
nat (inside) 10 INTERNALIPADDRESS1 255.255.255.255 nat (inside) 10 INTERNALIPADDRESS2 255.255.255.255 global (outside) 10 COMMONPUBLICIPADDRESS
With this configuration, port address translation will be done using COMMONPUBLICIPADDRESS and the only inside machines that will use that outgoing IP will be the ones that match nat policy 10.
Hi again!
Thank you for your info. The thing is that we are about to use 2 mail routing machines. We have 2 F-Secure mail scanners and one is the default mail-router/scanner and the second is an fail-over machine. The idea is that Domino automatically switches over to the second machine if the first goes down. These 2 machines hav, of course two different IP-addresses. The first is NAT'ed in the PIX. The problem is that our ISP only accepts 1 outside address for SMTP traffic and that is why I'm interested in getting the second machine to be NAT'ted to the same outside address. A bit kinky problem this...
Regards
Stefan
Hi again!
Any ideas how to solve this problem?
Thank you!
Stefan
Well you can't just statically NAT the one outside address to two inside addresses as you know.
Do the two mail scanners automatically fail over between themselves? Is it possible to configure them to share one ip address instead of having one each? Can you put a load balancer between the pix and mail scanners, so the pix sees one internal address and the load balancer keeps track of who's up and who's down?
Hi again!
The two mailscanners have automatic failover. I have to check if they can switch ip, but I dont't think so. What type of load balancer could be used between the scanners and the pix?
Regards
Stefan
Typically boxes that have automatic failover either use a shared virtual IP between them or the failover assumes the identitiy of the primary in the event of a failure. Either of those cases you would only need the NAT to point to a single IP, the virtual or the primaries depending on the way the device works.
One other option is to run a secondary MX with a higher cost. 10 for the primary, when that becomes unreachable it will then default to the higher,
20 cost MX which will have another IP assigned to it. NAT the 10 MX to mailscanner1, NAT the 20 MX to mailscanner 2....very simple.Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.