PIX 515 config question

[jfwebber]

I have a PIX515 with 4 interfaces (outside,inside,dmz1,dmz2). I have the following config for dmz1:

nameif ethernet2 dmz1 security80
ip address dmz1 192.168.10.1 255.255.255.0
access-group dmz in interface dmz1
access-list dmz permit tcp host 192.168.10.3 host 192.168.1.1 eq 31001
static (inside,dmz1) 192.168.1.1 192.168.1.1 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.10.3 192.168.1.1 netmask 255.255.255.255 0 0

I am now trying to configure dmz2 the following way:

nameif ethernet3 dmz2 security70
ip address dmz2 192.168.11.1 255.255.255.0
access-group dmz2 in interface dmz2
access-list dmz2 permit tcp host 192.168.11.3 host 192.168.1.1 eq 3050
static (inside,dmz2) 192.168.1.1 192.168.1.1 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.11.3 192.168.1.1 netmask 255.255.255.255 0 0

When I enter the last static statement for dmz2, I get the following error:

ERROR: static overlaps with 192.168.10.3 to 192.168.1.1

What is wrong with that static statement and how can I fix it. Thanks in advance for any assistance.

Jim


Jim Webber
Network Administrator MCSE CNA

 

[jfortier]

You can't have 2 addresses (192.168.10.3,192.168.11.3)on 2 different interfaces nated to a single external address 192.168.1.1. The easiest fix is to use another external address 192.168.1.x for the second address.

 

[jfwebber]

Thanks for the reply. Since I need to use the 192.168.1.1 address, if I was to disable nat on this interface, would that work? Thanks.

Jim Jim Webber
Network Administrator MCSE CNA