static or nat

Unanswered Question
Jan 31st, 2007

i read in the cisco documentation that if i want users on the outside interface (lower security level) telnet to inside interface (higher security level) we should use static with access-list to allow the traffic. Now this is called translation, right?

now, what if you want the same instead that when the users on the outside interface (lower security level) telnet to inside interface (higher security level) we should be able to nat his IP from the one he is originally coming from e.g. 1.2.3.4 to say 172.16.1.53 and let me access the server inside whose IP Address is say 66.55.44.22

i believe there is something to do route because pix will not know 66.55.44.22 untill we define the route because PIX inside is on different ip subnet say 172.16.1.1

why i want this because outside user who is coming from IP 1.2.3.4 needs to be natted or translated to 172.16.1.53 because 66.55.44.22 only accepts connections from 172.16.1.53 therefore if he coming from 1.2.3.4 or anyother IP will not help.

So, Can i do this and how? i have read alot of cisco documents but i can't seems to find any solution or practice closer to my case.

i tried this on our pix and it didn't work

static (inside,outside) 66.55.44.22 172.16.1.53 netmask 255.255.255.255

access-list HELP permit ip host 172.16.1.53 host 1.2.3.4

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dominic.caron Wed, 01/31/2007 - 04:49

First...for the ACL,

You want to permit inbound telnet to 66.55.44.22 so...

access-list help permit tcp host 1.2.3.4 host 66.55.44.22 eq telnet

For the translation, you want to translate 1.2.3.4 to 172.16.1.53 so...

static(outside,inside) 172.16.1.53 1.2.3.4 netmask 255.255.255.255

For the routing part, use

route inside (destination)(mask)(gateway)(metric)

zulqurnain Wed, 01/31/2007 - 05:38

hi,

can you explain me why you wrote

access-list help permit tcp host 1.2.3.4 host 66.55.44.22 eq telnet

as i understand and explained that 66.55.44.22 is the server which outside user wants to get too, but he want to come in as 172.16.1.53(i mean i will translate his IP from original) and originally his ip is 1.2.3.4

zulqurnain Thu, 02/01/2007 - 00:35

i tried and after initiating the connection i get message on the syslog

"No route to 172.16.1.53 from 1.2.3.4"

even though i have the route defined in pix

route inside 172.16.1.0 255.255.255.255

Actions

This Discussion