Re: Pix NAT - Two to one [7:37179]
what is the overall goal?
>>> Gaz 03/04/02 03:06PM >>>
Hi all,
Has anybody tried NAT'ing two outside addresses to one internal (DMZ)
address on the same port (80) in some way.
Not too difficult to get round, as I can get the DNS of one site changed and
use the single address outside to single inside.
The advantage would be that when the web sites are separated, to two
machines inside, I would like to be able to change the pix settings
immediately rather than change DNS and wait a couple of days for DNS to
propagate.
I'm sure there may be some simple way of doing it, but I couldn't find it
whilst playing about today.
Any ideas welcome.
Thanks,
Gaz
> Confidentiality Disclaimer
This email and any files transmitted with it may contain confidential and
/or proprietary information in the possession of WellStar Health System,
Inc. ("WellStar") and is intended only for the individual or entity to whom
addressed. This email may contain information that is held to be
privileged, confidential and exempt from disclosure under applicable law. If
the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized access, dissemination, distribution or
copying of any information from this email is strictly prohibited, and may
subject you to criminal and/or civil liability. If you have received this
email in error, please notify the sender by reply email and then delete this
email and its attachments from your computer. Thank you.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37192&t=37179
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix NAT - Two to one [7:37179]
Eventually, two separate static commands for two separate outside addresses
going to two separate DMZ addresses.
At the moment there is just one machine inside. Possibility of putting
multiple addresses on the server but preferred option is not to do this.
What I would like to miss out is the time required to wait for DNS to
propagate when I split the single outside address to two. If I can leave the
DNS pointing to two addresses and make the changes at the required time,
there is no delay involved.
Thanks,
Gaz
""Patrick Ramsey"" wrote in message
news:[EMAIL PROTECTED].;
> what is the overall goal?
>
> >>> Gaz 03/04/02 03:06PM >>>
> Hi all,
>
> Has anybody tried NAT'ing two outside addresses to one internal (DMZ)
> address on the same port (80) in some way.
> Not too difficult to get round, as I can get the DNS of one site changed
and
> use the single address outside to single inside.
> The advantage would be that when the web sites are separated, to two
> machines inside, I would like to be able to change the pix settings
> immediately rather than change DNS and wait a couple of days for DNS to
> propagate.
> I'm sure there may be some simple way of doing it, but I couldn't find it
> whilst playing about today.
>
> Any ideas welcome.
>
> Thanks,
>
> Gaz
> > Confidentiality DisclaimerThis email and any files
transmitted with it may contain confidential and
> /or proprietary information in the possession of WellStar Health System,
> Inc. ("WellStar") and is intended only for the individual or entity to
whom
> addressed. This email may contain information that is held to be
> privileged, confidential and exempt from disclosure under applicable law.
If
> the reader of this message is not the intended recipient, you are hereby
> notified that any unauthorized access, dissemination, distribution or
> copying of any information from this email is strictly prohibited, and may
> subject you to criminal and/or civil liability. If you have received this
> email in error, please notify the sender by reply email and then delete
this
> email and its attachments from your computer. Thank you.
>
>
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37193&t=37179
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix NAT - Two to one [7:37179]
On a cisco router, you use the Extendable command. not sure about the pix. -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, March 04, 2002 3:07 PM To: [EMAIL PROTECTED] Subject: Pix NAT - Two to one [7:37179] Hi all, Has anybody tried NAT'ing two outside addresses to one internal (DMZ) address on the same port (80) in some way. Not too difficult to get round, as I can get the DNS of one site changed and use the single address outside to single inside. The advantage would be that when the web sites are separated, to two machines inside, I would like to be able to change the pix settings immediately rather than change DNS and wait a couple of days for DNS to propagate. I'm sure there may be some simple way of doing it, but I couldn't find it whilst playing about today. Any ideas welcome. Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37194&t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix NAT - Two to one [7:37179]
Why not add an additional ip to the internal host and have two nats? - Original Message - From: "Gaz" To: Sent: Monday, March 04, 2002 3:06 PM Subject: Pix NAT - Two to one [7:37179] > Hi all, > > Has anybody tried NAT'ing two outside addresses to one internal (DMZ) > address on the same port (80) in some way. > Not too difficult to get round, as I can get the DNS of one site changed and > use the single address outside to single inside. > The advantage would be that when the web sites are separated, to two > machines inside, I would like to be able to change the pix settings > immediately rather than change DNS and wait a couple of days for DNS to > propagate. > I'm sure there may be some simple way of doing it, but I couldn't find it > whilst playing about today. > > Any ideas welcome. > > Thanks, > > Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37199&t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix NAT - Two to one [7:37179]
Adding a second IP to the internal host is the only way I know of useing the PIX. ""Rich"" wrote in message news:[EMAIL PROTECTED].; > Why not add an additional ip to the internal host and have two nats? > > - Original Message - > From: "Gaz" > To: > Sent: Monday, March 04, 2002 3:06 PM > Subject: Pix NAT - Two to one [7:37179] > > > > Hi all, > > > > Has anybody tried NAT'ing two outside addresses to one internal (DMZ) > > address on the same port (80) in some way. > > Not too difficult to get round, as I can get the DNS of one site changed > and > > use the single address outside to single inside. > > The advantage would be that when the web sites are separated, to two > > machines inside, I would like to be able to change the pix settings > > immediately rather than change DNS and wait a couple of days for DNS to > > propagate. > > I'm sure there may be some simple way of doing it, but I couldn't find it > > whilst playing about today. > > > > Any ideas welcome. > > > > Thanks, > > > > Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37225&t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix NAT - Two to one [7:37179]
When the two outside addresses are resolved to the single inside address
(port 80) everything is OK but when the web server sends back a reply
which of the address translations with be used? If the wrong one is
picked any firewall will choke on it, and if no firewall, the other end
of the connection may get traffic from a source address it doesn't know
anything about. End result is that the two outside addresses need to be
associated with two distict inside addresses.
Hope this helps,
Scott
--- On Mon 03/04, Gaz wrote:
> Eventually, two separate static commands for two separate outside
> addresses
> going to two separate DMZ addresses.
> At the moment there is just one machine inside. Possibility of putting
> multiple addresses on the server but preferred option is not to do
this.
> What I would like to miss out is the time required to wait for DNS to
> propagate when I split the single outside address to two. If I can
leave
> the
> DNS pointing to two addresses and make the changes at the required
time,
> there is no delay involved.
>
> Thanks,
>
> Gaz
>
>
> ""Patrick Ramsey"" wrote in message
> news:[EMAIL PROTECTED].;
> > what is the overall goal?
> >
> > >>> Gaz 03/04/02 03:06PM >>>
> > Hi all,
> >
> > Has anybody tried NAT'ing two outside addresses to one internal
> (DMZ)
> > address on the same port (80) in some way.
> > Not too difficult to get round, as I can get the DNS of one site
> changed
> and
> > use the single address outside to single inside.
> > The advantage would be that when the web sites are separated, to two
> > machines inside, I would like to be able to change the pix settings
> > immediately rather than change DNS and wait a couple of days for DNS
> to
> > propagate.
> > I'm sure there may be some simple way of doing it, but I couldn't
> find it
> > whilst playing about today.
> >
> > Any ideas welcome.
> >
> > Thanks,
> >
> > Gaz
> > > Confidentiality
> Disclaimer This email and any files
> transmitted with it may contain confidential and
> > /or proprietary information in the possession of WellStar Health
> System,
> > Inc. ("WellStar") and is intended only for the individual
> or entity to
> whom
> > addressed. This email may contain information that is held to be
> > privileged, confidential and exempt from disclosure under applicable
> law.
> If
> > the reader of this message is not the intended recipient, you are
> hereby
> > notified that any unauthorized access, dissemination, distribution
> or
> > copying of any information from this email is strictly prohibited,
> and may
> > subject you to criminal and/or civil liability. If you have received
> this
> > email in error, please notify the sender by reply email and then
> delete
> this
> > email and its attachments from your computer. Thank you.
> >
> >
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37232&t=37179
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix NAT - Two to one [7:37179]
pix will respond with error if you do more than 1 static command (specify more than one public > private translation, using the static command). Pix dosent offer "extendable" either (im running 6 train on the pix) Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Hire, Ejay [mailto:[EMAIL PROTECTED]] Sent: Monday, March 04, 2002 3:52 PM To: [EMAIL PROTECTED] Subject: RE: Pix NAT - Two to one [7:37179] On a cisco router, you use the Extendable command. not sure about the pix. -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, March 04, 2002 3:07 PM To: [EMAIL PROTECTED] Subject: Pix NAT - Two to one [7:37179] Hi all, Has anybody tried NAT'ing two outside addresses to one internal (DMZ) address on the same port (80) in some way. Not too difficult to get round, as I can get the DNS of one site changed and use the single address outside to single inside. The advantage would be that when the web sites are separated, to two machines inside, I would like to be able to change the pix settings immediately rather than change DNS and wait a couple of days for DNS to propagate. I'm sure there may be some simple way of doing it, but I couldn't find it whilst playing about today. Any ideas welcome. Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37200&t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix NAT - Two to one [7:37179]
Last I heard / checked this is not an option on the PIX.
Documentation is very explicit - one for one mapping.
The typical workaround is to add a secondary ip address to the machine. We
have done this
repeatedly; for DNS changes, for ISP address space changes, etc.
Thanks!
TJ
-Original Message-
From: Gaz [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 04, 2002 3:51 PM
To: [EMAIL PROTECTED]
Subject: Re: Pix NAT - Two to one [7:37179]
Eventually, two separate static commands for two separate outside addresses
going to two separate DMZ addresses.
At the moment there is just one machine inside. Possibility of putting
multiple addresses on the server but preferred option is not to do this.
What I would like to miss out is the time required to wait for DNS to
propagate when I split the single outside address to two. If I can leave the
DNS pointing to two addresses and make the changes at the required time,
there is no delay involved.
Thanks,
Gaz
""Patrick Ramsey"" wrote in message
news:[EMAIL PROTECTED].;
> what is the overall goal?
>
> >>> Gaz 03/04/02 03:06PM >>>
> Hi all,
>
> Has anybody tried NAT'ing two outside addresses to one internal (DMZ)
> address on the same port (80) in some way.
> Not too difficult to get round, as I can get the DNS of one site changed
and
> use the single address outside to single inside.
> The advantage would be that when the web sites are separated, to two
> machines inside, I would like to be able to change the pix settings
> immediately rather than change DNS and wait a couple of days for DNS to
> propagate.
> I'm sure there may be some simple way of doing it, but I couldn't find it
> whilst playing about today.
>
> Any ideas welcome.
>
> Thanks,
>
> Gaz
> >>>>>>>>>>>>> Confidentiality DisclaimerThis email and any files
transmitted with it may contain confidential and
> /or proprietary information in the possession of WellStar Health System,
> Inc. ("WellStar") and is intended only for the individual or entity to
whom
> addressed. This email may contain information that is held to be
> privileged, confidential and exempt from disclosure under applicable law.
If
> the reader of this message is not the intended recipient, you are hereby
> notified that any unauthorized access, dissemination, distribution or
> copying of any information from this email is strictly prohibited, and may
> subject you to criminal and/or civil liability. If you have received this
> email in error, please notify the sender by reply email and then delete
this
> email and its attachments from your computer. Thank you.
>
>
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37250&t=37179
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix NAT - Two to one [7:37179]
Yep - seen the error. I don't want people to think I was being lazy. I spent a good few hours yesterday playing around with things like statics/alias to try and get this to work. That's good enough for me. I was wondering whether anyone had found a workaround, but it seems not. I think the only option is to tell customer to use multiple IP on servers. Thanks for the replies everyone. Anybody fancy having a look at my other Pix question - Pix Alias - Puzzled?? :-) Cheers, Gaz ""Joseph Brunner"" wrote in message news:[EMAIL PROTECTED].; > pix will respond with error if you do more than 1 static command (specify > more than one > public > private translation, using the static command). Pix dosent offer > "extendable" either > > (im running 6 train on the pix) > > Joseph Brunner > ASN 21572 > MortgageIT MITLending > New York, NY 10038 > (212) 651 - 7695 Voice > (212) 651 - 7795 Fax > > > > -Original Message- > From: Hire, Ejay [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 04, 2002 3:52 PM > To: [EMAIL PROTECTED] > Subject: RE: Pix NAT - Two to one [7:37179] > > > On a cisco router, you use the Extendable command. not sure about the pix. > > -Original Message- > From: Gaz [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 04, 2002 3:07 PM > To: [EMAIL PROTECTED] > Subject: Pix NAT - Two to one [7:37179] > > > Hi all, > > Has anybody tried NAT'ing two outside addresses to one internal (DMZ) > address on the same port (80) in some way. > Not too difficult to get round, as I can get the DNS of one site changed and > use the single address outside to single inside. > The advantage would be that when the web sites are separated, to two > machines inside, I would like to be able to change the pix settings > immediately rather than change DNS and wait a couple of days for DNS to > propagate. > I'm sure there may be some simple way of doing it, but I couldn't find it > whilst playing about today. > > Any ideas welcome. > > Thanks, > > Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37242&t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix NAT - Two to one [7:37179]
The reply *should* come from the IP that the request arrived at ... ...
Thanks!
TJ
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 05, 2002 12:38 AM
To: [EMAIL PROTECTED]
Subject: Re: Pix NAT - Two to one [7:37179]
When the two outside addresses are resolved to the single inside address
(port 80) everything is OK but when the web server sends back a reply
which of the address translations with be used? If the wrong one is
picked any firewall will choke on it, and if no firewall, the other end
of the connection may get traffic from a source address it doesn't know
anything about. End result is that the two outside addresses need to be
associated with two distict inside addresses.
Hope this helps,
Scott
--- On Mon 03/04, Gaz wrote:
> Eventually, two separate static commands for two separate outside
> addresses
> going to two separate DMZ addresses.
> At the moment there is just one machine inside. Possibility of putting
> multiple addresses on the server but preferred option is not to do
this.
> What I would like to miss out is the time required to wait for DNS to
> propagate when I split the single outside address to two. If I can
leave
> the
> DNS pointing to two addresses and make the changes at the required
time,
> there is no delay involved.
>
> Thanks,
>
> Gaz
>
>
> ""Patrick Ramsey"" wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > what is the overall goal?
> >
> > >>> Gaz 03/04/02 03:06PM >>>
> > Hi all,
> >
> > Has anybody tried NAT'ing two outside addresses to one internal
> (DMZ)
> > address on the same port (80) in some way.
> > Not too difficult to get round, as I can get the DNS of one site
> changed
> and
> > use the single address outside to single inside.
> > The advantage would be that when the web sites are separated, to two
> > machines inside, I would like to be able to change the pix settings
> > immediately rather than change DNS and wait a couple of days for DNS
> to
> > propagate.
> > I'm sure there may be some simple way of doing it, but I couldn't
> find it
> > whilst playing about today.
> >
> > Any ideas welcome.
> >
> > Thanks,
> >
> > Gaz
> > >>>>>>>>>>>>> Confidentiality
> Disclaimer This email and any files
> transmitted with it may contain confidential and
> > /or proprietary information in the possession of WellStar Health
> System,
> > Inc. ("WellStar") and is intended only for the individual
> or entity to
> whom
> > addressed. This email may contain information that is held to be
> > privileged, confidential and exempt from disclosure under applicable
> law.
> If
> > the reader of this message is not the intended recipient, you are
> hereby
> > notified that any unauthorized access, dissemination, distribution
> or
> > copying of any information from this email is strictly prohibited,
> and may
> > subject you to criminal and/or civil liability. If you have received
> this
> > email in error, please notify the sender by reply email and then
> delete
> this
> > email and its attachments from your computer. Thank you.
> >
> >
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37559&t=37179
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
