Source and Destination NAT on PIX 506E

Answered Question
Mar 19th, 2008

Hello,

I am searching for solution on how to do a source and destination NAT on PIX 506E.

I attach the drawing. Let's say I have a web server inside. I have created a destination NAT, that traffic which goes on 200.200.200.200 is nat'ed on 192.168.1.2.

I would like also, that any traffic from Internet, would be source NATed on PIX inside interface. So web server would see incoming transactions as sourced from PIX inside.

I was able to do a source and destination NAT, but only one to one:

static(inside,outside) 200.200.200.200 192.168.1.2

static(outside,inside) 100.100.100.100 192.168.2.1

Could somebody show me how to do a source NAT from any address to singe IP-Interface of PIX inside?

Thanks in advanced.

Michal

Attachment: 
I have this problem too.
0 votes
Correct Answer by abinjola about 8 years 10 months ago

add following commands :-

nat (outside) 1 0 0 outside

global (inside) 1 interface

static(inside,outside) 200.200.200.200 192.168.1.2

see if this helps !

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
abinjola Wed, 03/19/2008 - 05:13

add following commands :-

nat (outside) 1 0 0 outside

global (inside) 1 interface

static(inside,outside) 200.200.200.200 192.168.1.2

see if this helps !

michal.grzelak Wed, 03/19/2008 - 06:42

It works, I have tested that in lab!!! I have been searching for solution for the whole day and found nothing, but now as I look at your config it is clear :)

Thanks!

michal.grzelak Wed, 03/19/2008 - 14:31

Hi,

It seems that it works, but after applying it, the other nat global-1 that hide all local networks to the internet is not working:

nat (outside) 2 access-list source-nat outside

global (inside) 2 interface

access-list source-nat permit ip any host 200.200.200.200

nat (inside) 1 access-list nat

global (outside) 1 global-ip-address

Could somebody help me out with this one?

Thanks.

Michal

abinjola Thu, 03/20/2008 - 05:04

can you try internet access from a host other than the one mapped in static

wasiimcisco Thu, 03/20/2008 - 05:41

I have pix 525 with 7.2(3)8. I wanted to configre simple nat for inside and dmz.

This is my test lab. I know there are options of static and access-list. But i wanted to test this configuration.

I want my dmz user when access the inside network they use nat not static. and same i wanted to have with my inside user while they access dmz.

global (dmz) 1 interface

global (inside) 3 interface

nat (dmz) 3 10.0.0.0 255.255.255.0 outside

nat (inside) 1 172.28.92.0 255.255.255.0

access-group outside in interface outside

access-list dmz extended permit ip host 10.0.0.3 host 172.28.92.72

access-list dmz extended permit ip host 10.0.0.3 host 10.0.0.1

I have tried all possibilties but fail, even only first time at the start of lab, i use no-nat control but later on it was also stop working.

Now only static configuration is working i am able to use internet. But with this dmz nat and vice versa is not working.

few time ago, i was able to ping from inside to dmz but after sometime later it also stop working. I dont know why this is happening.

why nat control is not working. really strange situation.

alanajjar Tue, 03/25/2008 - 12:51

Hi,

Try to use this configuration

nat (dmz) 3 10.0.0.0 255.255.255.0

global (inside) 3 10.0.0.0 255.255.255.0

nat (inside) 1 172.28.92.0 255.255.255.0

global (dmz) 1 172.28.92.0 255.255.255.0

and remove the dmz access list.

regards

Actions

This Discussion