Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
424
Views
10
Helpful
5
Replies

STATIC NAT

Go to solution
jahangeer_abdul
Level 1
Level 1

‎05-10-2007 02:27 AM - edited ‎03-11-2019 03:11 AM

Hi,

I working on following scenario. I need some clarification on this.

nameif ethernet0 outside security0

nameif ethernet1 inside security100

ip address outside 209.165.201.2 255.255.255.248

ip address inside 209.165.201.9 255.255.255.248

static (inside,outside) 209.165.201.5 209.165.201.12 netmask 255.255.255.255

For the above confifuration, what should I enter in the access-list.

access-list acl_out permit tcp any host 209.165.201.12

access-group acl_out in interface outside

OR

access-list acl_out permit tcp any host 209.165.201.5

access-group acl_out in interface outside

For both what should IP sould I enter to acsess my Inside Server.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jahangeer_abdul

‎05-10-2007 04:01 AM

Hi

You can only configure one ip address in your static statement so it could be any spare ip address from your 209.165.201.0/29 subnet so you may as well use .5 if that is free.

HTH

Jon

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎05-10-2007 02:38 AM

Hi

You should use the following

access-list acl_out permit tcp any host 209.165.201.5

access-group acl_out in interface outside

HTH

Jon

Go to solution
jahangeer_abdul
Level 1
Level 1
In response to Jon Marshall

‎05-10-2007 03:01 AM

Hi,

Thanks for you comment. what destination IP slould the end user use.

If it's 209.165.201.5, how the packet will be sent to default Gateway as the destination IP in same LAN.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jahangeer_abdul

‎05-10-2007 03:27 AM

Hi

The destination IP address should be 209.165.201.5 as that is the address you are presenting to the outside.

When you configure a static on the ASA/Pix it then becomes responsible for that IP address so it will respond to arp requests. So when the router receives the packet it will arp out for 209.165.201.5 and the ASA/pix will respond with the mac address of it's external interface.

Hope this makes sense

Jon

Go to solution
jahangeer_abdul
Level 1
Level 1
In response to Jon Marshall

‎05-10-2007 03:47 AM

static (inside,outside) 209.165.X.X 209.165.201.12 netmask 255.255.255.255

access-list acl_out permit tcp any host 209.165.X.X

access-group acl_out in interface outside

Shall I configure any no in the place of X irrespective of the Subnet.

or should I configure only 209.165.201.5.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jahangeer_abdul

‎05-10-2007 04:01 AM

Hi

You can only configure one ip address in your static statement so it could be any spare ip address from your 209.165.201.0/29 subnet so you may as well use .5 if that is free.

HTH

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card