Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static translation for an inside IP

Hi,

Here is what I am trying to accomplish:

Any inside users going out should be dynamically translated to 192.168.2.2-200.

But for one host, 172.16.1.1, I want that to be xlated into 192.168.2.1 all the time.

I have a sample confi below. I think I do have problem with in2out4static rule because traffic initiated by 172.16.1.1 could use in2out acess list instead of in2out4static.

Are there any access-list priority?

I think access-list in PIX/ASA behave different from routers: the order of the statement doesn't matter. (I may be wrong though.)

Could somebody please help me out?

PIX Version 7.1(2)

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 172.16.1.254 255.255.255.0

!

interface Ethernet2

nameif outside

security-level 10

ip address 192.168.1.254 255.255.255.0

!

access-list in2out extended permit ip any 10.1.1.0 255.255.255.0

access-list in2out4static extended permit ip host 172.16.1.1 10.1.1.0 255.255.255.0

access-list out2in extended permit tcp any host 192.168.2.1 eq 80

!

global (outside) 2 192.168.2.2-192.168.2.200 netmask 255.255.255.0

global (outside) 3 192.168.2.1

nat (inside) 2 access-list in2out

nat (inside) 3 access-list in2out4static

!

static (inside,outside) 192.168.2.1 172.16.1.1 netmask 255.255.255.255

access-group out2in in interface outside

route networkmd 10.1.1.0 255.255.255.0 192.168.1.253

1 REPLY
Green

Re: Static translation for an inside IP

You're looking for the nat order of operations...

1. nat 0 access-list

2. static NAT

3. static PAT

4. policy NAT

5. regular NAT

172.16.1.1. will be 192.168.2.1 going out because of the static.

You could do this to the in2out acl as well.

access-list in2out extended deny ip host 172.16.1.1 10.1.1.0 255.255.255.0

access-list in2out extended permit ip any 10.1.1.0 255.255.255.0

176
Views
5
Helpful
1
Replies