PIX one to one NAT..?

Posted on 2007-07-30
Last Modified: 2010-04-09
Hi Guru's,

I have 5 sites across the globe that access their 'local' networks using a Cisco VPN.  We also have a hosted web service (off core network) so we have to use a hosts file (with external address of web server) when users attempt to connect to both their local office (via VPN) and web server at the same time.

The web server will soon be moving to our head office which is ok for users based at the head office (dispels the need for a host file as DNS will work), but those visitors to head office from abroad will not be able to access the web server since their host files sends them to the external address and NOT the internal address.

I guess that one to one NAT is the answer - but HOW??

Thanks muchly any assistance provided...

Question by:jasonhamlett
    LVL 8

    Expert Comment

    Can you clarify how the DNS zone that contains the records for the web server is hosted?

    When you relocate the server to HQ will it be located in a DMZ or on the LAN segment with all the other devices in that location?

    Author Comment


    I'm not sure how DNS would affect this..?  Assuming the VPNs are giving out internal DNS servers, and all our networks are connected by site VPNs, a US user will connect their VPN to the US office and 'lookup' the hosted web server and be 'given' the internal address.  As such they cannot route across the second (site) VPN. [We are shifting to an ASA box soon which will allow them to do this, but not before our web server is moved].

    I was hoping to place it on a LAN segment (fast backup to LAN server), but do have a PIX 515 so could put it in the DMZ if needed (and run backup at 100Mb rather than 1000Mb).

    I guess the question is how you can get a PIX to allowoth internal and external users to connect to the external IP address of the web server.
    LVL 8

    Accepted Solution

    This describes your issue and a potential solution, but you will have to place the server in the DMZ.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Suggested Solutions

    Title # Comments Views Activity
    Cisco Routers 17 69
    does nexus 9k support nbar 5 53
    Questions on windows ports 13 53
    Missing Crypto Commands 6 38
    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now