Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IP to IP static NAT

With PIX 6.3

I'm using a static IP-to-IP translation also ACL permission, and I'm unable to access to the inside.

What's may be wrong?

Regards,

Omar

8 REPLIES

Re: IP to IP static NAT

Your acl could be using the wrong destination address, you could be using the wrong internal address - check both of these.

HTH>

Community Member

Re: IP to IP static NAT

The ACL is recording matches!! and the Static translation is fine.

Re: IP to IP static NAT

Then you need to check if the internal device is actually listening on the UDP/TCP port numbers you have defined in your ACL.

Also if the internal device has internet access - goto www.whatismyip.com and confirm the NAT translation is 100% correct.

Community Member

Re: IP to IP static NAT

When using the 'show xlate' that don't show details on that PIX edition, is there a way for that?

Re: IP to IP static NAT

AFAIK - there is not much, see the below command reference:-

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1084248

Community Member

Re: IP to IP static NAT

I'll try to review all that points and give a feedback.

Community Member

Re: IP to IP static NAT

Here is more details about the situation:

Fisrt, I have the commandes:

ACL:

permit tcp any 'public@ip1' eq www

permit ip any 'public@ip2

NAT:

static (inside,outside) tcp public@ip1 www private@ip1 www

static (inside,outisde) public@ip2 private@ip2

Access to the first ip@ with web is working (tested by telnetting the 80 port). But nothing is permitted to the second ip@ (no reply when telnet)

I inverted the ACLs and NAT (ip@1 with ip@2) and still the same, the first is OK and not the same.

If the server is not well configured, can I see the session open when translated by the PIX but not opened on the server?

Regards,

Re: IP to IP static NAT

To check the servers, if they are windows @ the command line type "netstat -a" this will tell you what ports TCP/UDP the server is listening on and has current sessions.

Another good test is try to connect to the servers on the inside!

155
Views
4
Helpful
8
Replies
CreatePlease to create content