NAT help with PIX 7.0(1)

Unanswered Question
Feb 15th, 2007

Can you NAT an internal IP to the external interface IP? I'm used to doing this on sidewinders but it's giving me an overlap error


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
vitripat Thu, 02/15/2007 - 10:54

Yes, you can translate whole of your internal network to the external interface IP. What is the error you are recieving?

daviddtran Thu, 02/15/2007 - 12:29

if you want to hide the internal network to

the External interface ip address of the

firewall, Linux called IP masquerading,

Checkpoint called it "hide" NAT and cisco

refers to it a Port Address Translation (PAT):

nat (inside) 1 0 0

global (outside) 1 interface

brandon.hodge Thu, 02/15/2007 - 12:40

I just did

nat (inside) 1

global (outside) 1 interface

the ip is still coming out with only) do the static(inside,outside) entries override the global?

vitripat Thu, 02/15/2007 - 13:34

If you have a one-to-one static for this IP address, it will take precedence over normal nat/global configuration. Here is the order of NAT operations-

1) nat 0 access-list (nat-exempt)

2) match against existing xlates

3) static

a) static nat with and without access-list (first match)

b) static pat with and without access-list (first match)

4) nat

a) nat access-list (first match)

Note: nat 0 access-list is not part of this command.

b) nat (best match)

Note: When choosing a global address from multiple pools with

the same nat id, the following order is tried

i) if the id is 0, create an identity xlate.

ii) use the global pool for dynamic NAT

iii) use the global pool for dynamic PAT

5) Error

l.tating Thu, 02/15/2007 - 16:39


Where can I find in the Documentation this important notes about NAT order of operation?




This Discussion