Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX-515E NAT Static Problem

I have a problem with a PIX'm trying to make a NAT, and want to know if it may be with any origin, as would be the expression to make a static NAT?

I need help with this problem

static (outside, inside) 172.31.89.5 any_source 255.255.255.0 0 0

Greetings.

Version

Cisco PIX Firewall Version 6.3(4)

3 REPLIES
Super Bronze

PIX-515E NAT Static Problem

Hi,

If you are going to NAT Multiple addresses to One address then you would typically use a Dynamic PAT.

You can't use "any" in the Static NAT configuration. Atleast to my understanding.

Could you elaborate a bit what it is exactly that you are trying to achieve?

I notice that you are trying to configure some NAT for which source addresses are located behind "outside" and the NAT IP address is on the "inside" interfaces side.

- Jouni

New Member

PIX-515E NAT Static Problem

I'm trying to make a double nat to change the source and destination origin be any internet source but switch to your destination 172.31.89.5 and 172.31.65.5, this second NAT and what I have, but I have no idea how do any NAT

Super Bronze

PIX-515E NAT Static Problem

Hi,

I am afraid that I still didnt quite get the whole situation yet.

You do mention that you want to do double NAT? This is something that would be way more easier in the ASA firewalls with newer software. Both your firewall and its software are very old.

But for examples sake, lets say that you have a Static NAT for some of your internal host/server. Lets also say that you want to NAT all incoming traffic destined to that Static NAT IP address of the server to a single IP address, then you would probably have to use Static NAT + Dynamic Policy PAT

It might look something like this

access-list DYNAMIC-POLICYPAT permit ip any host 1.1.1.1

nat (outside) 100 access-list DYNAMIC-POLICYPAT outside

global (inside) 100 2.2.2.2

static (inside,outside) 1.1.1.1 3.3.3.3 netmask 255.255.255.255

To my understanding the above should do so that when traffic from "any" source address behind "outside" is coming towards the IP address 1.1.1.1 THEN the source addresses would be Dynamic PATed to IP address 2.2.2.2 and the IP 1.1.1.1 would be untranslated to the real IP address of 3.3.3.3

So

  • Real Source Address: any
  • Mapped Source Address: 2.2.2.2
  • Mapped Destination Address: 1.1.1.1
  • Real Destination Address: 3.3.3.3

But again it is hard to say if this is the configuration type you are looking for based on your earlier reply.

- Jouni

167
Views
0
Helpful
3
Replies