Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static PAT/ACL help

Hello,
I have a client that needs access to a particular server on the DMZ from the outside Interface - I have created a static PAT statement 1200 translated to 1200 (I have created the 1200 port so they can access this particular server) and created an access-list from outside to the DMZ. When i run packet tracer it fails at the last part at the NAT.

Type - NAT
Subtype - rpf-check
Action - DROP
Show rule in NAT Rules table.
Config
static (DMZ,Outside) tcp interface 1200 access-list DMZ_nat_static_2
nat-control match tcp DMZ host 2.2.2.2eq 1200
Outside host 80.80.80.80 static translation to 90.90.90.90/1200 translate_hits = 0, untranslate_hits = 11
config;
static (DMZ,Outside) tcp interface 1200 access-list DMZ_nat_static_2
access-list DMZ extended permit object-group DM_INLINE_PROTOCOL_1 host 2.2.2.2 host 80.80.80.80
access-list DMZ_nat_static_2 extended permit tcp host 2.2.2.2. host eq 1200 host 80.80.80.80
access-list Outside_access_in extended permit tcp host 80.80.80.80 host 2.2.2.2 
Not sure if the above access-list/PAT are correct
Thanks

4 REPLIES
Cisco Employee

Re: Static PAT/ACL help

Doesn't look correct.

Can you please advise what is the ip address of the outside interface, and the ip address of the DMZ server?

New Member

Re: Static PAT/ACL help

I will give made up IP

Remote IP:  22.22.22.22

My outside IP: 11.11.11.11

My DMZ Server: 33.33.33.33

Cisco Employee

Re: Static PAT/ACL help

OK, base on the following information:

Remote IP:   22.22.22.22

My outside IP: 11.11.11.11

My DMZ Server: 33.33.33.33

You can configure the following:

static (DMZ,Outside) tcp interface 1200 33.33.33.33 1200 netmask 255.255.255.255

access-list Outside_access_in permit tcp host 22.22.22.22 host 11.11.11.11 eq 1200

I assume you already have the following:

access-group Outside_access_in in interface outside

OR/ alternatively if you need to be very specific that only traffic from 22.22.22.22 needs to be translated, then the following:

access-list DMZ-NAT permit tcp host 33.33.33.33 eq 1200 host 22.22.22.22 eq 1200

static (DMZ,Outside) tcp interface 1200 access-list DMZ-NAT

New Member

Re: Static PAT/ACL help

Thanks, I will give that a bash

I have sent you a PM. Can you have a look please?

243
Views
0
Helpful
4
Replies
CreatePlease to create content