Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
261
Views
0
Helpful
4
Replies

confused by NAT

vikrantarora
Level 1
Level 1

‎04-25-2003 05:45 AM - edited ‎03-09-2019 03:02 AM

Please find my nat and global commands below. I want to translate the IP 204.142.253.55 / 24 (vik) to 190.231.232.135 / 27 (one of the ISP assigned public addresse)

Pix-Admin1(config)# sh global

global (outside) 1 192.231.232.135 netmask 255.255.255.224

name 204.142.253.55 vik

Pix-Admin1(config)# sh nat

nat (inside) 1 vik 255.255.255.255 0 0

nat (inside) 0 192.231.232.0 255.255.255.128 0 0

nat (inside) 0 192.168.254.0 255.255.255.0 0 0

nat (inside) 0 198.138.22.0 255.255.255.0 0 0

nat (inside) 0 204.142.80.0 255.255.255.0 0 0

nat (inside) 0 204.142.81.0 255.255.255.0 0 0

nat (inside) 0 204.142.89.0 255.255.255.0 0 0

nat (inside) 0 204.142.253.0 255.255.255.0 0 0

nat (inside) 0 204.142.254.0 255.255.255.0 0 0

nat (inside) 0 10.0.0.0 255.0.0.0 0 0

nat (inside) 0 192.0.0.0 255.0.0.0 0 0

nat (inside) 0 204.0.0.0 255.0.0.0 0 0

nat (dmz:2) 0 0.0.0.0 0.0.0.0 0 0

I did a clear xlate and then

Pix-Admin1(config)# sh xlate

Global 192.231.232.136 Local vik

!Rest deleted.

Why is 'vik' being translated as 192.231.232.136 and not 192.231.232.135???

Labels:
0 Helpful
4 Replies 4

m.jensen
Level 1
Level 1

‎04-25-2003 06:58 AM

My pix 515 uses a "static" command for this. It might look as such:

static (inside,outside) 190.231.232.135 204.142.253.55 netmask 255.255.255.255 0 0

You will also use an ACL to allow outside traffic to connect over specific ports etc.

0 Helpful

vikrantarora
Level 1
Level 1
In response to m.jensen

‎04-25-2003 07:10 AM

But, wont static allow inbound connections to the machine 204.142.253.55.

All I want is that whenever 204.142.253.55 goes to internet, it should take the address 192.231.232.135. I am new to pix, please correct me if I am wrong.

The machine you are using static for can be accessed from outside or not and unde what scenario can one use nat and global?

0 Helpful

richardp
Level 1
Level 1
In response to vikrantarora

‎04-28-2003 07:58 AM

Unless you add an acl allowing access to the inside host, outside hosts cannot access it.

0 Helpful

l.mourits
Level 5
Level 5
In response to richardp

‎05-02-2003 06:03 AM

Looking at a specific part of your configuration:

global (outside) 1 192.231.232.135 netmask 255.255.255.224

name 204.142.253.55 vik

nat (inside) 1 vik 255.255.255.255 0 0

nat (inside) 0 204.142.253.0 255.255.255.0 0 0

Take a closer look at this one:

nat (inside) 0 204.142.253.0 255.255.255.0 0 0

the adres you try to translate with nat 1 and global 1 statements is in the same subnet. So, better thing to do would be:

nat (inside) 0 access-list nonat

access-list nonat deny ip host 204.142.253.55 any

access-list nonat permit ip 204.142.253.0 255.255.255.0 any

of course this is just one way to do it.....

I think you have other global and nat statements on your pix which gives the translation to the adres 192.231.232.136

Hope this helps

Leo Mourits

0 Helpful
Customers Also Viewed These Support Documents