Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Global PAT with static NAT on PIX 6.3

I am having issues getting this to work.  For email, I have mail.xxx.xxx DNS'd to 165.165.165.165.  I want it to come in to 10.1.0.31.  It needs to go out a cluster of 10.1.0.31, 10.1.0.34, or 10.101.201.31 but look like it came from the 165.165.165.165 address.  I have set up static NAT for the inbound.  I have set up the global PAT with an ACL group of the 10.xxx addresses.  I have set this same method up on an ASA with no issues but it doesn't want to work on the PIX 6.3.  What am I missing?

no fixup protocol smtp 25

object-group service NewExchange tcp

  port-object eq https

  port-object eq smtp

  port-object eq 587

access-list inbound remark Exchange

access-list inbound permit tcp any host 165.165.165.165 object-group NewExchange

access-list mail permit ip host 10.1.0.31 any

access-list mail permit ip host 10.1.0.34 any

access-list mail permit ip host 10.101.201.31 any

global (outside) 1 interface

global (outside) 2 165.165.165.165

nat (inside) 2 access-list mail 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 165.165.165.165 10.1.0.31 netmask 255.255.255.255 0 0

access-group inbound in interface outside

If I am on 10.0.0.34 with this set up ... i lose internet connectivity.

If I remove the "nat (inside) 2 access-list mail 0 0" line .... i restore connectivity but it becomes the ip address of the interface in global 1.

any thoughts?

1 REPLY
Cisco Employee

Global PAT with static NAT on PIX 6.3

You can't configure the same global address on static NAT and PAT.

You can however configure static PAT for your mail as follows:

static (inside,outside) tcp 165.165.165.165 25 10.1.0.31 25 netmask 255.255.255.255 0 0

Here is the command reference to confirm the correct behaviour:

http://www.cisco.com/en/US/partner/docs/security/pix/pix63/command/reference/s.html#wp1026694

(--> check out the explaination under "global_ip" column)

1430
Views
0
Helpful
1
Replies
CreatePlease to create content