We have a cisco PIX-515 with Pix 5.1.2 software and my question is this:
I want 2 machines on our internal network to use one common NAT'ed IP-address. When I try to add the second machine to use the same adress the PIX says the the adress is already in use. Is there any way ta accomplish what I want to do?
It is not allowed to use static NAT to map the same external IP address (as a whole) to multiple internal IP addresses. (PIX 6.1 and later allow individual tcp or udp ports to be mapped, and in those versions you can have different external port numbers map to different internal machines, as long as the combination is unique.)
If you do not need static IP addressing, because the two machines are not acting as servers (nothing initiates traffic in -to- them, at least not until they've initiated outgoing traffic to that place), then what you do is create a new NAT pool:
Thank you for your info. The thing is that we are about to use 2 mail routing machines. We have 2 F-Secure mail scanners and one is the default mail-router/scanner and the second is an fail-over machine. The idea is that Domino automatically switches over to the second machine if the first goes down. These 2 machines hav, of course two different IP-addresses. The first is NAT'ed in the PIX. The problem is that our ISP only accepts 1 outside address for SMTP traffic and that is why I'm interested in getting the second machine to be NAT'ted to the same outside address. A bit kinky problem this...
Well you can't just statically NAT the one outside address to two inside addresses as you know.
Do the two mail scanners automatically fail over between themselves? Is it possible to configure them to share one ip address instead of having one each? Can you put a load balancer between the pix and mail scanners, so the pix sees one internal address and the load balancer keeps track of who's up and who's down?
Typically boxes that have automatic failover either use a shared virtual IP between them or the failover assumes the identitiy of the primary in the event of a failure. Either of those cases you would only need the NAT to point to a single IP, the virtual or the primaries depending on the way the device works.
One other option is to run a secondary MX with a higher cost. 10 for the primary, when that becomes unreachable it will then default to the higher,
20 cost MX which will have another IP assigned to it. NAT the 10 MX to mailscanner1, NAT the 20 MX to mailscanner 2....very simple.