Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can the pat and static command can use toghter?

i have a pix525

there is only one public ip i can use.

I need do pat for internal use go web.

I also want static map to the ip for outside user can access our web.

but when i config two toghter.internal user can't access internet.

how can i do to make two thing worked used one public ip .

any help will be preciated.

6 REPLIES
Cisco Employee

Re: Can the pat and static command can use toghter?

Hi,

Here are wo different static statements:

1) static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255

2) static (inside,outside) tcp interface 80 y.y.y.y 80 netmask 255.255.255.255

Here, x.x.x.x = Your public (pix outside interface) ip address.

y.y.y.y = Private ip address of your webserver.

The "interface" keyword refers to outside interface ip address of your pix.

I'm sure you would be using the first one in the above example. If you use the first one, you make a one-to-one translation for your public and private ip address letting pix to know that the public ip address is always associated with this private ip address.

If you use the second statement as mentioned in the above example (also called as port forwarding) would resolve the issue and achieve your goal.

Reason: Port forwarding works only for inbound traffic and rest outbound traffic use nat and global combination to go out to internet.

Rahul Pathania

rpathani@cisco.com

Gold

Re: Can the pat and static command can use toghter?

the main point is that there is only one public ip, so port forwarding is the way to go.

e.g.

static (inside,outside) tcp 80 80 netmask 255.255.255.255 0 0

access-list 100 permit tcp any host eq 80

access-group 100 in interface outside

at the same time, apply the followings for interal user accessing the internet:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

all these commands, including static, acl, global, and nat will work together.

New Member

Re: Can the pat and static command can use toghter?

i'm very glad to see the reply

i'm from china,my english not very well,it's surprise you can totally understand me.thank you rpathani and jackko .

i just use this command

static (inside,outside) netmask 255.255.255.255 0 0

i will use the port translate to test.

New Member

Re: Can the pat and static command can use toghter?

jakko basically had it correct, but to cover all your bases completely, you may be better off usinger the interface keyword for all your NATw/PAT commands.

global (outside) 1 interface

nat (inside) 0 0

access-list acl_outside permit tcp any interface outside eq 80

static (inside,outside) tcp interface 80 80 netmask 255.255.255.255 0 0

access-group acl_outside in interface outside

this will ensure that if you are using either ip address outside dhcp or ip address pppoe (without static IPs) you will not run into any problems down the road.

New Member

Re: Can the pat and static command can use toghter?

Can someone help me do the same thing but on IOS, not PIX?

Thanks,

Gold

Re: Can the pat and static command can use toghter?

ip nat inside source static tcp extendable

e.g. for mail server,

ip nat inside source static tcp 203.1.1.1 25 192.168.1.1 25 extendable

182
Views
2
Helpful
6
Replies
CreatePlease login to create content