10-31-2010 01:52 PM - edited 03-11-2019 12:02 PM
Hello,
I have a network on my pix that uses RFC 1918 addresses in the 10.0.Y.0/24 with the pix interface as 10.0.Y.1
I have multiple interfaces which I need to translate some of these addresses from 10.0.Y.X <-> 192.100.255.Z so that the hosts on the private network can talk to hosts on other interfaces and vice versa.
Static nat appears to not work for more than one interface pair:
This works :
static (private,outside) 192.100.255.Y 10.0.Y.X netmask 255.255.255.255
static (outside,private) 10.0.Y.Z 192.100.255.Y netmask 255.255.255.255
But adding:
static (private,dmz) 192.100.255.Y 10.0.Y.X netmask 255.255.255.255
static (outside,dmz) 10.0.Y.Z 192.100.255.Y netmask 255.255.255.255
Results in:
WARNING: mapped-address conflict with existing static
outside:192.100.255.Y to private:10.0.Y.X netmask 255.255.255.255
And the first NAT works but traffic to the dmz goes out untranslated.
How can I translate these RFC1918 addresses to public addresses for multiple interfaces (they must be statically assigned from a fixed RFC1918 address to a fixed public address)?
Solved! Go to Solution.
10-31-2010 04:55 PM
Hello,
What you need to do is just to translate the guys with the higher security level (in this case 10.10.Y.0 network). You dont need to do a translation backwards.
For example, if you want your hosts on the private interface to be translated to 192.168.10.x on the dmz the static would be
static (private,dmz) 10.10.y.x 192.168.x.x netmask 255.255.255.255
If you want your host to be translated on the Public interface it would be
static (private,public) 10.10.y.x 192.168.x.x netmask 255.255.255.255
and son on. Feel free to read the following document:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml
Hope it helps.
Mike
10-31-2010 04:55 PM
Hello,
What you need to do is just to translate the guys with the higher security level (in this case 10.10.Y.0 network). You dont need to do a translation backwards.
For example, if you want your hosts on the private interface to be translated to 192.168.10.x on the dmz the static would be
static (private,dmz) 10.10.y.x 192.168.x.x netmask 255.255.255.255
If you want your host to be translated on the Public interface it would be
static (private,public) 10.10.y.x 192.168.x.x netmask 255.255.255.255
and son on. Feel free to read the following document:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml
Hope it helps.
Mike
10-31-2010 07:19 PM
OK - got it figured out.
I imported the config from the old ASA which someone else had configured (incorrectly).
As you pointed out I only needed the static in the outbound direction not inbound as well.
adding:
static (inside,outside)
static (inside,dmz)
... add infinitum for the many interfaces
works as expected.
I was getting confused (being at work since 5am will do that :-( ) by traffic being dropped. Turns out that the sysadmins were tring to use imap on our SMTP relays which weren't configured for IMAP and the inbound ACL on the relays was dropping the traffic but the logs showed the pre natted address so it looked like the traffic was not being translated.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: