Static translation for an inside IP

Unanswered Question
Jun 13th, 2007
User Badges:


Here is what I am trying to accomplish:

Any inside users going out should be dynamically translated to

But for one host,, I want that to be xlated into all the time.

I have a sample confi below. I think I do have problem with in2out4static rule because traffic initiated by could use in2out acess list instead of in2out4static.

Are there any access-list priority?

I think access-list in PIX/ASA behave different from routers: the order of the statement doesn't matter. (I may be wrong though.)

Could somebody please help me out?

PIX Version 7.1(2)


interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address


interface Ethernet2

nameif outside

security-level 10

ip address


access-list in2out extended permit ip any

access-list in2out4static extended permit ip host

access-list out2in extended permit tcp any host eq 80


global (outside) 2 netmask

global (outside) 3

nat (inside) 2 access-list in2out

nat (inside) 3 access-list in2out4static


static (inside,outside) netmask

access-group out2in in interface outside

route networkmd

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
acomiskey Wed, 06/13/2007 - 11:46
User Badges:
  • Green, 3000 points or more

You're looking for the nat order of operations...

1. nat 0 access-list

2. static NAT

3. static PAT

4. policy NAT

5. regular NAT will be going out because of the static.

You could do this to the in2out acl as well.

access-list in2out extended deny ip host

access-list in2out extended permit ip any


This Discussion