RE: Pix NAT - Two to one [7:37179]
The reply *should* come from the IP that the request arrived at ... ... Thanks! TJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 05, 2002 12:38 AM To: [EMAIL PROTECTED] Subject: Re: Pix NAT - Two to one [7:37179] When the two outside addresses are resolved to the single inside address (port 80) everything is OK but when the web server sends back a reply which of the address translations with be used? If the wrong one is picked any firewall will choke on it, and if no firewall, the other end of the connection may get traffic from a source address it doesn't know anything about. End result is that the two outside addresses need to be associated with two distict inside addresses. Hope this helps, Scott --- On Mon 03/04, Gaz wrote: Eventually, two separate static commands for two separate outside addresses going to two separate DMZ addresses. At the moment there is just one machine inside. Possibility of putting multiple addresses on the server but preferred option is not to do this. What I would like to miss out is the time required to wait for DNS to propagate when I split the single outside address to two. If I can leave the DNS pointing to two addresses and make the changes at the required time, there is no delay involved. Thanks, Gaz Patrick Ramsey wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... what is the overall goal? Gaz 03/04/02 03:06PM Hi all, Has anybody tried NAT'ing two outside addresses to one internal (DMZ) address on the same port (80) in some way. Not too difficult to get round, as I can get the DNS of one site changed and use the single address outside to single inside. The advantage would be that when the web sites are separated, to two machines inside, I would like to be able to change the pix settings immediately rather than change DNS and wait a couple of days for DNS to propagate. I'm sure there may be some simple way of doing it, but I couldn't find it whilst playing about today. Any ideas welcome. Thanks, Gaz Confidentiality Disclaimer This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. * The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37559t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix NAT - Two to one [7:37179]
Last I heard / checked this is not an option on the PIX. Documentation is very explicit - one for one mapping. The typical workaround is to add a secondary ip address to the machine. We have done this repeatedly; for DNS changes, for ISP address space changes, etc. Thanks! TJ -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, March 04, 2002 3:51 PM To: [EMAIL PROTECTED] Subject: Re: Pix NAT - Two to one [7:37179] Eventually, two separate static commands for two separate outside addresses going to two separate DMZ addresses. At the moment there is just one machine inside. Possibility of putting multiple addresses on the server but preferred option is not to do this. What I would like to miss out is the time required to wait for DNS to propagate when I split the single outside address to two. If I can leave the DNS pointing to two addresses and make the changes at the required time, there is no delay involved. Thanks, Gaz Patrick Ramsey wrote in message news:[EMAIL PROTECTED]; what is the overall goal? Gaz 03/04/02 03:06PM Hi all, Has anybody tried NAT'ing two outside addresses to one internal (DMZ) address on the same port (80) in some way. Not too difficult to get round, as I can get the DNS of one site changed and use the single address outside to single inside. The advantage would be that when the web sites are separated, to two machines inside, I would like to be able to change the pix settings immediately rather than change DNS and wait a couple of days for DNS to propagate. I'm sure there may be some simple way of doing it, but I couldn't find it whilst playing about today. Any ideas welcome. Thanks, Gaz Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. * The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37250t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix NAT - Two to one [7:37179]
Yep - seen the error. I don't want people to think I was being lazy. I spent a good few hours yesterday playing around with things like statics/alias to try and get this to work. That's good enough for me. I was wondering whether anyone had found a workaround, but it seems not. I think the only option is to tell customer to use multiple IP on servers. Thanks for the replies everyone. Anybody fancy having a look at my other Pix question - Pix Alias - Puzzled?? :-) Cheers, Gaz Joseph Brunner wrote in message news:[EMAIL PROTECTED]; pix will respond with error if you do more than 1 static command (specify more than one public private translation, using the static command). Pix dosent offer extendable either (im running 6 train on the pix) Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Hire, Ejay [mailto:[EMAIL PROTECTED]] Sent: Monday, March 04, 2002 3:52 PM To: [EMAIL PROTECTED] Subject: RE: Pix NAT - Two to one [7:37179] On a cisco router, you use the Extendable command. not sure about the pix. -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, March 04, 2002 3:07 PM To: [EMAIL PROTECTED] Subject: Pix NAT - Two to one [7:37179] Hi all, Has anybody tried NAT'ing two outside addresses to one internal (DMZ) address on the same port (80) in some way. Not too difficult to get round, as I can get the DNS of one site changed and use the single address outside to single inside. The advantage would be that when the web sites are separated, to two machines inside, I would like to be able to change the pix settings immediately rather than change DNS and wait a couple of days for DNS to propagate. I'm sure there may be some simple way of doing it, but I couldn't find it whilst playing about today. Any ideas welcome. Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37242t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Pix NAT - Two to one [7:37179]
Hi all, Has anybody tried NAT'ing two outside addresses to one internal (DMZ) address on the same port (80) in some way. Not too difficult to get round, as I can get the DNS of one site changed and use the single address outside to single inside. The advantage would be that when the web sites are separated, to two machines inside, I would like to be able to change the pix settings immediately rather than change DNS and wait a couple of days for DNS to propagate. I'm sure there may be some simple way of doing it, but I couldn't find it whilst playing about today. Any ideas welcome. Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37179t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix NAT - Two to one [7:37179]
what is the overall goal? Gaz 03/04/02 03:06PM Hi all, Has anybody tried NAT'ing two outside addresses to one internal (DMZ) address on the same port (80) in some way. Not too difficult to get round, as I can get the DNS of one site changed and use the single address outside to single inside. The advantage would be that when the web sites are separated, to two machines inside, I would like to be able to change the pix settings immediately rather than change DNS and wait a couple of days for DNS to propagate. I'm sure there may be some simple way of doing it, but I couldn't find it whilst playing about today. Any ideas welcome. Thanks, Gaz Confidentiality Disclaimer This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37192t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix NAT - Two to one [7:37179]
Eventually, two separate static commands for two separate outside addresses going to two separate DMZ addresses. At the moment there is just one machine inside. Possibility of putting multiple addresses on the server but preferred option is not to do this. What I would like to miss out is the time required to wait for DNS to propagate when I split the single outside address to two. If I can leave the DNS pointing to two addresses and make the changes at the required time, there is no delay involved. Thanks, Gaz Patrick Ramsey wrote in message news:[EMAIL PROTECTED]; what is the overall goal? Gaz 03/04/02 03:06PM Hi all, Has anybody tried NAT'ing two outside addresses to one internal (DMZ) address on the same port (80) in some way. Not too difficult to get round, as I can get the DNS of one site changed and use the single address outside to single inside. The advantage would be that when the web sites are separated, to two machines inside, I would like to be able to change the pix settings immediately rather than change DNS and wait a couple of days for DNS to propagate. I'm sure there may be some simple way of doing it, but I couldn't find it whilst playing about today. Any ideas welcome. Thanks, Gaz Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37193t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix NAT - Two to one [7:37179]
On a cisco router, you use the Extendable command. not sure about the pix. -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, March 04, 2002 3:07 PM To: [EMAIL PROTECTED] Subject: Pix NAT - Two to one [7:37179] Hi all, Has anybody tried NAT'ing two outside addresses to one internal (DMZ) address on the same port (80) in some way. Not too difficult to get round, as I can get the DNS of one site changed and use the single address outside to single inside. The advantage would be that when the web sites are separated, to two machines inside, I would like to be able to change the pix settings immediately rather than change DNS and wait a couple of days for DNS to propagate. I'm sure there may be some simple way of doing it, but I couldn't find it whilst playing about today. Any ideas welcome. Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37194t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix NAT - Two to one [7:37179]
Why not add an additional ip to the internal host and have two nats? - Original Message - From: Gaz To: Sent: Monday, March 04, 2002 3:06 PM Subject: Pix NAT - Two to one [7:37179] Hi all, Has anybody tried NAT'ing two outside addresses to one internal (DMZ) address on the same port (80) in some way. Not too difficult to get round, as I can get the DNS of one site changed and use the single address outside to single inside. The advantage would be that when the web sites are separated, to two machines inside, I would like to be able to change the pix settings immediately rather than change DNS and wait a couple of days for DNS to propagate. I'm sure there may be some simple way of doing it, but I couldn't find it whilst playing about today. Any ideas welcome. Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37199t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix NAT - Two to one [7:37179]
Adding a second IP to the internal host is the only way I know of useing the PIX. Rich wrote in message news:[EMAIL PROTECTED]; Why not add an additional ip to the internal host and have two nats? - Original Message - From: Gaz To: Sent: Monday, March 04, 2002 3:06 PM Subject: Pix NAT - Two to one [7:37179] Hi all, Has anybody tried NAT'ing two outside addresses to one internal (DMZ) address on the same port (80) in some way. Not too difficult to get round, as I can get the DNS of one site changed and use the single address outside to single inside. The advantage would be that when the web sites are separated, to two machines inside, I would like to be able to change the pix settings immediately rather than change DNS and wait a couple of days for DNS to propagate. I'm sure there may be some simple way of doing it, but I couldn't find it whilst playing about today. Any ideas welcome. Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37225t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix NAT - Two to one [7:37179]
When the two outside addresses are resolved to the single inside address (port 80) everything is OK but when the web server sends back a reply which of the address translations with be used? If the wrong one is picked any firewall will choke on it, and if no firewall, the other end of the connection may get traffic from a source address it doesn't know anything about. End result is that the two outside addresses need to be associated with two distict inside addresses. Hope this helps, Scott --- On Mon 03/04, Gaz wrote: Eventually, two separate static commands for two separate outside addresses going to two separate DMZ addresses. At the moment there is just one machine inside. Possibility of putting multiple addresses on the server but preferred option is not to do this. What I would like to miss out is the time required to wait for DNS to propagate when I split the single outside address to two. If I can leave the DNS pointing to two addresses and make the changes at the required time, there is no delay involved. Thanks, Gaz Patrick Ramsey wrote in message news:[EMAIL PROTECTED]; what is the overall goal? Gaz 03/04/02 03:06PM Hi all, Has anybody tried NAT'ing two outside addresses to one internal (DMZ) address on the same port (80) in some way. Not too difficult to get round, as I can get the DNS of one site changed and use the single address outside to single inside. The advantage would be that when the web sites are separated, to two machines inside, I would like to be able to change the pix settings immediately rather than change DNS and wait a couple of days for DNS to propagate. I'm sure there may be some simple way of doing it, but I couldn't find it whilst playing about today. Any ideas welcome. Thanks, Gaz Confidentiality Disclaimer This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37232t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix NAT - Two to one [7:37179]
pix will respond with error if you do more than 1 static command (specify more than one public private translation, using the static command). Pix dosent offer extendable either (im running 6 train on the pix) Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Hire, Ejay [mailto:[EMAIL PROTECTED]] Sent: Monday, March 04, 2002 3:52 PM To: [EMAIL PROTECTED] Subject: RE: Pix NAT - Two to one [7:37179] On a cisco router, you use the Extendable command. not sure about the pix. -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, March 04, 2002 3:07 PM To: [EMAIL PROTECTED] Subject: Pix NAT - Two to one [7:37179] Hi all, Has anybody tried NAT'ing two outside addresses to one internal (DMZ) address on the same port (80) in some way. Not too difficult to get round, as I can get the DNS of one site changed and use the single address outside to single inside. The advantage would be that when the web sites are separated, to two machines inside, I would like to be able to change the pix settings immediately rather than change DNS and wait a couple of days for DNS to propagate. I'm sure there may be some simple way of doing it, but I couldn't find it whilst playing about today. Any ideas welcome. Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37200t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
