Static nat statement

Answered Question
May 23rd, 2007

I need to setup a static one to one nat statement on my PIX 515. I need to map an outside IP to an inside IP. Let's say the IP address on the outside is outside.ip and the internal IP is 192.168.100.125.

The interfaces that we have defined are inside, outside and DMZ1 and if it matters I will be setting up acl's and static statements to route the traffic.

There are already three other nat statements defined as:

nat (inside) 0 access-list acl_name

nat (inside) 1 vpn 255.0.0.0 0 0

nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0

Anyone know how I should go about this?

Thanks.

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 9 years 6 months ago

the difference is that you are statically natting a local IP address 10.1.1.3 with 200.1.1.25 on a router and not on your pix.

This is the same principle as before, a one-to-one nat, if you are nating on a router you have to define your (ip nat outside) on the 200.1.1.0 interface.

Jorge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Wed, 05/23/2007 - 14:37

Assuming you have an outside interface configured

You have to create a one-to-one static nat as:

static (inside,outside) outside.ip 192.168.100.125 netmask 255.255.255.255 0 0

Then you have to create an access list : say you want to allow telnet access from to 192.168.100.125

from the outside world.

access-list outside_access_in permit tcp any host outside.ip eq 23

access-group outside_access_in in interface outside

hope this helps

Jorge

dexteroc1 Wed, 05/23/2007 - 14:46

I understand. So I was totally going the wrong way. Well I found the following documentation on the cisco website:

This setup also includes a static one-to-one NAT for a server at 10.1.1.3. This is NAT'd to 200.1.1.25 so that Internet users can access it. Issue this command:

ip nat inside source static 10.1.1.3 200.1.1.25

So what is the difference between this and what I was asking?

Thanks.

Correct Answer
JORGE RODRIGUEZ Wed, 05/23/2007 - 15:07

the difference is that you are statically natting a local IP address 10.1.1.3 with 200.1.1.25 on a router and not on your pix.

This is the same principle as before, a one-to-one nat, if you are nating on a router you have to define your (ip nat outside) on the 200.1.1.0 interface.

Jorge

Actions

This Discussion