STATIC NAT - INSIDE TO OUTSIDE

Unanswered Question

Hi netpro's


I am having a nightmare time trying to get some static nat working on the pix...


I have PIX 515 V8.2


inside i have 192.168.204.0 /22 network

outside I have 192.168.1.0 /24 network


the outside interface is connected to a cisco 877 router with a FTP server connected to one of the interface's on the 877 with an IP of 192.168.1.50.


I need to add a static map on the PIX inside interface that maps inside address 192.168.207.100 to the FTP server IP 192.168.1.50


I have added the following commands and it doesn't work !!!


static (inside.outside) 192.168.1.50 192.168.207.100 netmask 255.255.255.255


nat-control is disabled, and there is not other NAT or PAT configuraitons on the PIX.


What am I missing?


Thanks


Rod

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Jon Marshall Tue, 07/07/2009 - 02:50
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Rod


Try this


static (outside,inside) 192.168.207.100 192.168.1.50 netmask 255.255.255.255


Jon

Hi John,


Thanks for the response. I tried your sugesstion and something strange happend.


I tried to remote desktop onto the FTP server via the 192.168.207.100 address and got as far as seeing the server screen, however the connection dropped before I could be presented with ctrl and delete screen from the server....


any suggestions?


rod


config below:


PIX Version 8.0(3)

!

hostname pixfirewall

domain-name corp.rwenukem.co.uk

enable password gtNhcavDCYG3V2bP encrypted

names

!

interface Ethernet0

nameif Outside

security-level 0

ip address 192.168.1.100 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.207.1 255.255.252.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name corp.rwenukem.co.uk

access-list out2in extended permit tcp host 192.168.1.50 any

access-list out2in extended permit tcp host 192.168.1.66 any

access-list out2in extended permit tcp host 192.168.1.1 any

access-list in2out extended permit ip any any

pager lines 24

logging enable

logging console debugging

logging monitor debugging

logging asdm debugging

no logging message 710005

mtu Outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-603.bin

no asdm history enable

arp timeout 14400

static (Outside,inside) 192.168.207.100 192.168.1.50 netmask 255.255.255.255

access-group out2in in interface Outside

access-group in2out in interface inside

route Outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 192.168.200.0 255.255.255.0 192.168.204.3 1

route inside 192.168.201.0 255.255.255.0 192.168.204.3 1

route inside 192.168.202.0 255.255.255.0 192.168.204.3 1

route inside 192.168.203.0 255.255.255.0 192.168.204.3 1

route inside 192.168.208.0 255.255.252.0 192.168.204.3 1

route inside 192.168.214.0 255.255.255.0 192.168.204.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.204.0 255.255.252.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet 192.168.204.0 255.255.252.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

username djrodb password hW62dJ9ElnD4Te0O encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:c834da0a5217b69b71892500f83e5170

: end

pixfirewall(config)#

Jon Marshall Tue, 07/07/2009 - 03:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Rod


Not sure what is happening there without more details.


Just to clarify -


static (inside,outside) 192.168.1.50 192.168.207.100 netmask 255.255.255.255


means translate the source IP address of 192.168.207.100 to 192.168.1.50


that's why it wasn't working for you.


static (outside,inside) 192.168.207.100 192.168.1.50 netmask 255.255.255.255


means translate the destination address of 192.168.207.100 to 192.168.1.50


which is what you need.


So you now have the right static statement but a problem with the server by the sounds of it. Is there any other connectivity test you could try from the inside to the server ?


Jon

Actions

This Discussion