pix translation issue

hello,

suppose there is one host who is accessing two different servers in the network.

when host A access to host B all we have to do is make sure that it gets to talk to it one to one thus i configure this

static (inside,outside) tcp 60.10.135.72 3392 20.172.216.4 3392 netmask 255.255.255.255
static (inside,outside) tcp 60.10.135.72 3394 20.172.216.4 3394 netmask 255.255.255.255

access-list acl_out_in permit tcp host 20.172.216.4 host 60.10.135.72 eq 3392
access-list acl_out_in permit tcp host 20.172.216.4 host 60.10.135.72 eq 3394

and host A can connect to host B with success no problem at all.

Now, when host A try to connect to host C we not only have to nat/translate the source IP of this host but also the like host B scenario that it should be one to one with it, so i configure the following

static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255
static (inside,outside) 60.10.136.72 16.172.23.1 netmask 255.255.255.255

access-list acl_out_in permit tcp host 60.10.136.72 host 20.172.220.4 eq 6003

host A connects to host C successful and no problem.

the issue i have here is that when i see the netstat of host B it shows that the host A (remote host ip address is) 20.172.220.4 whereas it should be it orginal source ip address.

so is there a way it can be done or is it the firewall itself that it's not possible and it would be causing any problem in connection, cuz currently on random times the connection drops automaticaly btw host A and host B, so i assume it is because of this issue.

any help would be great

static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255
static (inside,outside) 60.10.136.72 16.172.23.1 netmask 255.255.255.255

access-list acl_out_in permit tcp host 60.10.136.72 host 20.172.220.4 eq 6003

host A connects to host C successful and no problem.

the issue i have here is that when i see the netstat of host B it shows that the host A (remote host ip address is) 20.172.220.4 whereas it should be it orginal source ip address.

why you need 2 static NATs here?
and what do you mean by "orginal source ip address"？

I think the problem here is the way that the (inside,outside) has been used in the static command.

Set them the same way (inside,outside) and see if the same problem exists.

hi smurf,

could you please explain your answer i didn't understood it.
thanks

I cannot remember the relevance of the way that you specify;

[code:1]static (inside,outside)
static (outside,inside)[/code:1]

If i have time i will check but i noticed that you have done the command using inside,outside and then outside,inside.

Hope it helps, if you want me to read up on it and provide a more detailed explination of the relevance between the way that its specified then let me know (or if someone else knows off the top of their head then please reply)

cheers

hello,

thanks for the reply, to be honest i have been working on it since a week now but in vain. i t would be great if i could get someone to help me out in this. anyways if you can find time to work on it please do, thanks in advance.

by the way i have tired using Policy NAT instead of Static NAT but i still wana know as per my question why it gave problem.