×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

what to use instead of Static

Unanswered Question

I am doing a gateway project which includes PIX I need to configure it in accordance with the Evaluated Configuration, I am using 5.2(3) I have included a sample of the config but am having trouble with meeting all the requirements I hope you can help.


The Evaluated Config Document says not to use static because it activates NAT but how else will I open an inbound connection to the Inside hosts?


any help would be terrific


nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname client-PIX

names

name 10.9.10.11 MailRobot

name 10.9.10.9 clientFW1

name 10.9.11.1 GatewayManager

name 192.168.208.35 CA-Dev

name 10.9.11.3 client-App

name 192.168.208.68 CA-Prod

name 10.9.11.2 client-RA

name 10.9.10.0 DMZ

name 10.9.11.0 Protected

access-list inside_access permit tcp host client-RA eq 830 host CA-Dev eq 830

access-list inside_access permit tcp host client-RA eq 830 host CA-Prod eq 830

access-list inside_access permit tcp host client-App eq 1098 host MailRobot eq 1098

access-list inside_access permit tcp host client-RA eq 7676 host MailRobot eq 7676

access-list inside_access permit tcp host client-App eq 7676 host MailRobot eq 7676

access-list inside_access permit tcp Protected 255.255.255.0 eq www DMZ 255.255.255.0 eq www

access-list inside_access permit tcp host GatewayManager eq 1253 DMZ 255.255.255.0 eq 1253

access-list inside_access permit tcp host client-RA eq 1098 host MailRobot eq 1098

access-list inside_access permit udp Protected 255.255.255.0 eq domain any eq domain

access-list outside_access permit tcp host CA-Dev eq 829 host client-RA eq 829

access-list outside_access permit tcp host CA-Prod eq 829 host client-RA eq 829

access-list outside_access permit tcp host MailRobot eq 1098 host client-RA eq 1098

access-list outside_access permit tcp host MailRobot eq 1098 host client-App eq 1098

access-list outside_access permit tcp host MailRobot eq 7676 host client-RA eq 7676

access-list outside_access permit tcp host MailRobot eq 7676 host client-App eq 7676

access-list outside_access permit tcp DMZ 255.255.255.0 eq www Protected 255.255.255.0 eq www

access-list outside_access permit udp any eq domain Protected 255.255.255.0 eq domain

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 10.9.10.254 255.255.255.0

ip address inside 10.9.11.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

logging timestamp

logging host 10.9.11.1 tcp/1470

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) client-RA client-RA netmask 255.255.255.255 0 0

static (inside,outside) client-App client-App netmask 255.255.255.255 0 0

static (inside,outside) GatewayManager GatewayManager netmask 255.255.255.255 0 0

access-group outside_access in interface outside

access-group inside_access in interface inside

route outside 0.0.0.0 0.0.0.0 clientFW1 1


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
David White Mon, 04/01/2002 - 08:53
User Badges:
  • Cisco Employee,

You can use the command "nat (inside) 0 access-list "


Example:

access-list nonat permit ip host servA host servA

access-list nonat permit ip host servB host servB


nat (inside) 0 access-list nonat


Now, servA and servB will not have their address translated, but users on the Outside can still access them (assuming you are permitting access in with access-list outside_access)


Sincerely,


David.

Actions

This Discussion