Source and Destination NAT on PIX 506E

Answered Question
Mar 19th, 2008
User Badges:

Hello,

I am searching for solution on how to do a source and destination NAT on PIX 506E.

I attach the drawing. Let's say I have a web server inside. I have created a destination NAT, that traffic which goes on 200.200.200.200 is nat'ed on 192.168.1.2.

I would like also, that any traffic from Internet, would be source NATed on PIX inside interface. So web server would see incoming transactions as sourced from PIX inside.

I was able to do a source and destination NAT, but only one to one:

static(inside,outside) 200.200.200.200 192.168.1.2

static(outside,inside) 100.100.100.100 192.168.2.1

Could somebody show me how to do a source NAT from any address to singe IP-Interface of PIX inside?


Thanks in advanced.

Michal



Attachment: 
Correct Answer by abinjola about 9 years 2 months ago

add following commands :-


nat (outside) 1 0 0 outside

global (inside) 1 interface


static(inside,outside) 200.200.200.200 192.168.1.2


see if this helps !

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
abinjola Wed, 03/19/2008 - 05:13
User Badges:
  • Cisco Employee,

add following commands :-


nat (outside) 1 0 0 outside

global (inside) 1 interface


static(inside,outside) 200.200.200.200 192.168.1.2


see if this helps !

michal.grzelak Wed, 03/19/2008 - 06:42
User Badges:

It works, I have tested that in lab!!! I have been searching for solution for the whole day and found nothing, but now as I look at your config it is clear :)

Thanks!

michal.grzelak Wed, 03/19/2008 - 14:31
User Badges:

Hi,

It seems that it works, but after applying it, the other nat global-1 that hide all local networks to the internet is not working:


nat (outside) 2 access-list source-nat outside

global (inside) 2 interface

access-list source-nat permit ip any host 200.200.200.200


nat (inside) 1 access-list nat

global (outside) 1 global-ip-address


Could somebody help me out with this one?

Thanks.

Michal


abinjola Thu, 03/20/2008 - 05:04
User Badges:
  • Cisco Employee,

can you try internet access from a host other than the one mapped in static

wasiimcisco Thu, 03/20/2008 - 05:41
User Badges:

I have pix 525 with 7.2(3)8. I wanted to configre simple nat for inside and dmz.


This is my test lab. I know there are options of static and access-list. But i wanted to test this configuration.


I want my dmz user when access the inside network they use nat not static. and same i wanted to have with my inside user while they access dmz.


global (dmz) 1 interface


global (inside) 3 interface


nat (dmz) 3 10.0.0.0 255.255.255.0 outside


nat (inside) 1 172.28.92.0 255.255.255.0


access-group outside in interface outside


access-list dmz extended permit ip host 10.0.0.3 host 172.28.92.72

access-list dmz extended permit ip host 10.0.0.3 host 10.0.0.1


I have tried all possibilties but fail, even only first time at the start of lab, i use no-nat control but later on it was also stop working.


Now only static configuration is working i am able to use internet. But with this dmz nat and vice versa is not working.


few time ago, i was able to ping from inside to dmz but after sometime later it also stop working. I dont know why this is happening.


why nat control is not working. really strange situation.


alanajjar Tue, 03/25/2008 - 12:51
User Badges:

Hi,

Try to use this configuration


nat (dmz) 3 10.0.0.0 255.255.255.0

global (inside) 3 10.0.0.0 255.255.255.0


nat (inside) 1 172.28.92.0 255.255.255.0

global (dmz) 1 172.28.92.0 255.255.255.0


and remove the dmz access list.

regards


Actions

This Discussion