source ip translation using static

Answered Question
Mar 6th, 2007
User Badges:

Hello


How can I configure on the PIX static src ip address translation for traffic coming in from the outside to the inside if.


What is the difference and syntax when configuring static source and destination ip nat.


Thanks in advance


Best regards

Lukasz

Correct Answer by Kamal Malhotra about 10 years 3 months ago

Hi Lukasz,


Jon has given you the type of command you need. I'll try to explain how it goes :


In case of a regular static where the source of the traffic (that needs to get natted) is the inside network, the syntax of the command is :


static (inside,outside)


When the source of the traffic (that needs to get natted) is the outside network, the syntax of the command is :


static (outside,inside)


HTH,


Please rate if it helps,


Regards,


Kamal


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 03/07/2007 - 00:18
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Outside source address is 172.16.5.10

You want to NAT it to 192.168.5.11


static (outside,inside) 192.168.5.11 172.16.5.10 netmask 255.255.255.255


HTH


Jon


Correct Answer
Kamal Malhotra Wed, 03/07/2007 - 02:19
User Badges:
  • Cisco Employee,

Hi Lukasz,


Jon has given you the type of command you need. I'll try to explain how it goes :


In case of a regular static where the source of the traffic (that needs to get natted) is the inside network, the syntax of the command is :


static (inside,outside)


When the source of the traffic (that needs to get natted) is the outside network, the syntax of the command is :


static (outside,inside)


HTH,


Please rate if it helps,


Regards,


Kamal


lukaszkhalil Thu, 03/08/2007 - 02:41
User Badges:

Hello


I?ve checked the configuration, you had provided me but unfortunately it doesn?t work.


Below is my test configuration example


FWSM Version 2.3(2)

nameif vlan2 outside security0

nameif vlan3 inside security100

enable password xxx

passwd xxx

hostname test

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 H225 1720

fixup protocol h323 ras 1718-1719

fixup protocol rsh 514

fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list deny-flow-max 4096

access-list alert-interval 300

access-list outside extended permit ip any any

access-list outside extended permit icmp any any

access-list inside extended permit ip any any

access-list inside extended permit icmp any any

pager lines 24

logging buffer-size 4096

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.254 255.255.255.0

ip address inside 192.168.1.254 255.255.255.0

icmp permit any outside

icmp permit any inside

no pdm history enable

arp timeout 14400

static (outside,inside) 192.168.1.32 10.0.0.1 netmask 255.255.255.255

access-group outside in interface outside

access-group inside in interface inside

....


I am not able to connect to the server in network 192.168.1.0/24 from the host 10.0.0.1.


Please, correct me if I made a mistake in my config or I misunderstood you.


Thank You in advace


Lukasz

laurent.geyer Tue, 03/13/2007 - 09:28
User Badges:

Change your static statement to following:


static (inside,outside) 192.168.1.32 192.168.1.32 netmask 255.255.255.255


This should do the trick. I'll let the TAC engineer explain pix/asa interface translation behavior :D

Actions

This Discussion