PIX Static NAT

vinoth.kumar · ‎01-05-2010

HI,

currently In our network we done NAT on the Cisco router were

ip nat inside source static 10.86.6.251 XXX.90.XXX.1

Acl is allowing range of ports ---- 80, 1021 to 1281 from Outside to inside

ip nat inside source static tcp 10.86.6.251 5500 XXX.90.XXX.2 80

Acl is allowing range of ports ---- 80 from Outside to inside

Now when we are Migrating to PIX 515E

we are not able to do the same its says duplicate entry for 10.86.6.251 when we adding PAT entry after one to one NAT entry

Since the first NAT statement carries range of port we are unable to break the statement (orelse we need to put 250 NAT entry)

kindly suggest us any solution to Static NAT range of Port or some ideas

thanks in advance

vinu

SOL10 · ‎01-06-2010

Hi Vinu

am i right in saying that you want to assign a static nat (using an IP from a block of your IP's) rather than port forward. If this is the case then on the pix you would enter a static nat to an inside (private IP) and then apply an acl on the outside interface allowing the ports

e.g

create Static

1) static (inside,outside) public_ip 192.168.1.25 netmask 255.255.255.255

create ACL

2)access-list acl_out permit tcp any host public_ip eq 80

then apply the ACL to the outside interace

3)access-group acl_out in interface outside

HTH

Ganesh Hariharan · ‎01-06-2010

Hi Vinoth,

Check out the below link for configuration of NAT hope that helps out your query !!

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1112434

Regards

Ganesh.H