Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

STATIC NAT

Hi,

I working on following scenario. I need some clarification on this.

nameif ethernet0 outside security0

nameif ethernet1 inside security100

ip address outside 209.165.201.2 255.255.255.248

ip address inside 209.165.201.9 255.255.255.248

static (inside,outside) 209.165.201.5 209.165.201.12 netmask 255.255.255.255

For the above confifuration, what should I enter in the access-list.

access-list acl_out permit tcp any host 209.165.201.12

access-group acl_out in interface outside

OR

access-list acl_out permit tcp any host 209.165.201.5

access-group acl_out in interface outside

For both what should IP sould I enter to acsess my Inside Server.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: STATIC NAT

Hi

You can only configure one ip address in your static statement so it could be any spare ip address from your 209.165.201.0/29 subnet so you may as well use .5 if that is free.

HTH

Jon

5 REPLIES
Hall of Fame Super Blue

Re: STATIC NAT

Hi

You should use the following

access-list acl_out permit tcp any host 209.165.201.5

access-group acl_out in interface outside

HTH

Jon

New Member

Re: STATIC NAT

Hi,

Thanks for you comment. what destination IP slould the end user use.

If it's 209.165.201.5, how the packet will be sent to default Gateway as the destination IP in same LAN.

Hall of Fame Super Blue

Re: STATIC NAT

Hi

The destination IP address should be 209.165.201.5 as that is the address you are presenting to the outside.

When you configure a static on the ASA/Pix it then becomes responsible for that IP address so it will respond to arp requests. So when the router receives the packet it will arp out for 209.165.201.5 and the ASA/pix will respond with the mac address of it's external interface.

Hope this makes sense

Jon

New Member

Re: STATIC NAT

static (inside,outside) 209.165.X.X 209.165.201.12 netmask 255.255.255.255

access-list acl_out permit tcp any host 209.165.X.X

access-group acl_out in interface outside

Shall I configure any no in the place of X irrespective of the Subnet.

or should I configure only 209.165.201.5.

Hall of Fame Super Blue

Re: STATIC NAT

Hi

You can only configure one ip address in your static statement so it could be any spare ip address from your 209.165.201.0/29 subnet so you may as well use .5 if that is free.

HTH

Jon

121
Views
10
Helpful
5
Replies
CreatePlease to create content