cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
894
Views
0
Helpful
2
Replies

Static NAT to/from multiple interfaces PIX 7.2

GrumpyBear
Level 1
Level 1

Hello,

I have a network on my pix that uses RFC 1918 addresses in the 10.0.Y.0/24 with the pix interface as 10.0.Y.1

I have multiple interfaces which I need to translate some of these addresses from 10.0.Y.X <-> 192.100.255.Z so that the hosts on the private network can talk to hosts on other interfaces and vice versa.

Static nat appears to not work for more than one interface pair:

This works :

static (private,outside) 192.100.255.Y 10.0.Y.X netmask 255.255.255.255

static (outside,private) 10.0.Y.Z 192.100.255.Y netmask 255.255.255.255

But adding:

static (private,dmz) 192.100.255.Y 10.0.Y.X netmask 255.255.255.255

static (outside,dmz) 10.0.Y.Z 192.100.255.Y netmask 255.255.255.255

Results in:

WARNING: mapped-address conflict with existing static
  outside:192.100.255.Y to private:10.0.Y.X netmask 255.255.255.255

And the first NAT works but traffic to the dmz goes out untranslated.

How can I translate these RFC1918 addresses to public addresses for multiple interfaces (they must be statically assigned from a fixed RFC1918 address to a fixed public address)?

1 Accepted Solution

Accepted Solutions

Maykol Rojas
Cisco Employee
Cisco Employee

Hello,

What you need to do is just to translate the guys with the higher security level (in this case 10.10.Y.0 network). You dont need to do a translation backwards.

For example, if you want your hosts on the private interface to be translated to 192.168.10.x on the dmz  the static would be


static (private,dmz) 10.10.y.x 192.168.x.x netmask 255.255.255.255

If you want your host to be translated on the Public interface it would be


static (private,public) 10.10.y.x 192.168.x.x netmask 255.255.255.255

and son on. Feel free to read the following document:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Hope it helps.

Mike

Mike

View solution in original post

2 Replies 2

Maykol Rojas
Cisco Employee
Cisco Employee

Hello,

What you need to do is just to translate the guys with the higher security level (in this case 10.10.Y.0 network). You dont need to do a translation backwards.

For example, if you want your hosts on the private interface to be translated to 192.168.10.x on the dmz  the static would be


static (private,dmz) 10.10.y.x 192.168.x.x netmask 255.255.255.255

If you want your host to be translated on the Public interface it would be


static (private,public) 10.10.y.x 192.168.x.x netmask 255.255.255.255

and son on. Feel free to read the following document:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Hope it helps.

Mike

Mike

OK - got it figured out.

I imported the config from the old ASA which someone else had configured (incorrectly).

As you pointed out I only needed the static in the outbound direction not inbound as well.

adding:

static (inside,outside) netmask 255.255.255.255

static (inside,dmz) netmask 255.255.255.255

... add infinitum for the many interfaces

works as expected.

I was getting confused (being at work since 5am will do that :-( ) by traffic being dropped.  Turns out that the sysadmins were tring to use imap on our SMTP relays which weren't configured for IMAP and the inbound ACL on the relays was dropping the traffic but the logs showed the pre natted address so it looked like the traffic was not being translated.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: