Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static NAT to/from multiple interfaces PIX 7.2

Hello,

I have a network on my pix that uses RFC 1918 addresses in the 10.0.Y.0/24 with the pix interface as 10.0.Y.1

I have multiple interfaces which I need to translate some of these addresses from 10.0.Y.X <-> 192.100.255.Z so that the hosts on the private network can talk to hosts on other interfaces and vice versa.

Static nat appears to not work for more than one interface pair:

This works :

static (private,outside) 192.100.255.Y 10.0.Y.X netmask 255.255.255.255

static (outside,private) 10.0.Y.Z 192.100.255.Y netmask 255.255.255.255

But adding:

static (private,dmz) 192.100.255.Y 10.0.Y.X netmask 255.255.255.255

static (outside,dmz) 10.0.Y.Z 192.100.255.Y netmask 255.255.255.255

Results in:

WARNING: mapped-address conflict with existing static
  outside:192.100.255.Y to private:10.0.Y.X netmask 255.255.255.255

And the first NAT works but traffic to the dmz goes out untranslated.

How can I translate these RFC1918 addresses to public addresses for multiple interfaces (they must be statically assigned from a fixed RFC1918 address to a fixed public address)?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Static NAT to/from multiple interfaces PIX 7.2

Hello,

What you need to do is just to translate the guys with the higher security level (in this case 10.10.Y.0 network). You dont need to do a translation backwards.

For example, if you want your hosts on the private interface to be translated to 192.168.10.x on the dmz  the static would be


static (private,dmz) 10.10.y.x 192.168.x.x netmask 255.255.255.255

If you want your host to be translated on the Public interface it would be


static (private,public) 10.10.y.x 192.168.x.x netmask 255.255.255.255

and son on. Feel free to read the following document:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Hope it helps.

Mike

Mike
2 REPLIES
Cisco Employee

Re: Static NAT to/from multiple interfaces PIX 7.2

Hello,

What you need to do is just to translate the guys with the higher security level (in this case 10.10.Y.0 network). You dont need to do a translation backwards.

For example, if you want your hosts on the private interface to be translated to 192.168.10.x on the dmz  the static would be


static (private,dmz) 10.10.y.x 192.168.x.x netmask 255.255.255.255

If you want your host to be translated on the Public interface it would be


static (private,public) 10.10.y.x 192.168.x.x netmask 255.255.255.255

and son on. Feel free to read the following document:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Hope it helps.

Mike

Mike
New Member

Re: Static NAT to/from multiple interfaces PIX 7.2

OK - got it figured out.

I imported the config from the old ASA which someone else had configured (incorrectly).

As you pointed out I only needed the static in the outbound direction not inbound as well.

adding:

static (inside,outside) netmask 255.255.255.255

static (inside,dmz) netmask 255.255.255.255

... add infinitum for the many interfaces

works as expected.

I was getting confused (being at work since 5am will do that :-( ) by traffic being dropped.  Turns out that the sysadmins were tring to use imap on our SMTP relays which weren't configured for IMAP and the inbound ACL on the relays was dropping the traffic but the logs showed the pre natted address so it looked like the traffic was not being translated.

421
Views
0
Helpful
2
Replies
CreatePlease login to create content