03-05-2009 06:12 AM - edited 03-11-2019 08:00 AM
Can I map the host part in a dynamic NAT translation "one to one"?
I am separating two private class C networks with a PIX 525 firewall (v7.0).
I would like the last octet to be preserved during the translation without entering 254 static statements.
E.g.:
nat (inside) 1 10.0.1.0 255.255.255.0
global (outside) 1 172.16.1.1-172.16.1.254
Can I enter an additional command for a preservation of the last octet?
I want 10.0.1.1 to always be translated as 172.16.1.1, 10.0.1.2 shall always become 172.16.1.2 etc.
Of course I could use
static (inside,outside) 172.16.1.1 10.0.1.1 netmask 255.255.255.0
static (inside,outside) 172.16.1.2 10.0.1.2 netmask 255.255.255.0
etc.
but that is not very elegant.
03-05-2009 06:58 AM
You are refering to "network" translation - I know that routers can do this, don't think the ASA can do it.
HTH>
03-05-2009 07:06 AM
I beleive you can....
static (inside,outside) 172.16.1.0 10.0.1.0 netmask 255.255.255.0
I have used this configuration to nat an enitre inside subnet to a different subnet in a DMZ.
03-05-2009 07:08 AM
Yes in a "static" world - the question asked for "Dynamic"
03-05-2009 07:15 AM
Not sure I understand...
Based on the example everything looks static - otherwise both the global and static commands would reference "interface".
03-06-2009 02:10 AM
Thank you for your replies.
Sorry for my unprecise wording, I should have written "dynamic" instead of *dynamic*.
When I wrote *dynamic* I only wanted to differentiate between configuring 254 static statements to ensure the one-to-one-translation as opposed to a single statement or just a few statements.
What I would like to make sure is the one-to-one translation:
10.0.1.1 must always be translated to 172.16.1.1
10.0.1.2 must always be translated to 172.16.1.2
10.0.1.3 must always be translated to 172.16.1.3
10.0.1.4 must always be translated to 172.16.1.4 etc.
I don't care whether this is configured dynamically or statically, as long as it is not necessary to configure the 254 statements.
03-06-2009 02:18 AM
Heath was correct - what you want to do is achived by:-
static (inside,outside) 172.16.1.0 10.0.1.0 netmask 255.255.255.0
HTH>
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: