Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

confused by NAT

Please find my nat and global commands below. I want to translate the IP 204.142.253.55 / 24 (vik) to 190.231.232.135 / 27 (one of the ISP assigned public addresse)

Pix-Admin1(config)# sh global

global (outside) 1 192.231.232.135 netmask 255.255.255.224

name 204.142.253.55 vik

Pix-Admin1(config)# sh nat

nat (inside) 1 vik 255.255.255.255 0 0

nat (inside) 0 192.231.232.0 255.255.255.128 0 0

nat (inside) 0 192.168.254.0 255.255.255.0 0 0

nat (inside) 0 198.138.22.0 255.255.255.0 0 0

nat (inside) 0 204.142.80.0 255.255.255.0 0 0

nat (inside) 0 204.142.81.0 255.255.255.0 0 0

nat (inside) 0 204.142.89.0 255.255.255.0 0 0

nat (inside) 0 204.142.253.0 255.255.255.0 0 0

nat (inside) 0 204.142.254.0 255.255.255.0 0 0

nat (inside) 0 10.0.0.0 255.0.0.0 0 0

nat (inside) 0 192.0.0.0 255.0.0.0 0 0

nat (inside) 0 204.0.0.0 255.0.0.0 0 0

nat (dmz:2) 0 0.0.0.0 0.0.0.0 0 0

I did a clear xlate and then

Pix-Admin1(config)# sh xlate

Global 192.231.232.136 Local vik

!Rest deleted.

Why is 'vik' being translated as 192.231.232.136 and not 192.231.232.135???

4 REPLIES
New Member

Re: confused by NAT

My pix 515 uses a "static" command for this. It might look as such:

static (inside,outside) 190.231.232.135 204.142.253.55 netmask 255.255.255.255 0 0

You will also use an ACL to allow outside traffic to connect over specific ports etc.

New Member

Re: confused by NAT

But, wont static allow inbound connections to the machine 204.142.253.55.

All I want is that whenever 204.142.253.55 goes to internet, it should take the address 192.231.232.135. I am new to pix, please correct me if I am wrong.

The machine you are using static for can be accessed from outside or not and unde what scenario can one use nat and global?

New Member

Re: confused by NAT

Unless you add an acl allowing access to the inside host, outside hosts cannot access it.

Silver

Re: confused by NAT

Looking at a specific part of your configuration:

global (outside) 1 192.231.232.135 netmask 255.255.255.224

name 204.142.253.55 vik

nat (inside) 1 vik 255.255.255.255 0 0

nat (inside) 0 204.142.253.0 255.255.255.0 0 0

Take a closer look at this one:

nat (inside) 0 204.142.253.0 255.255.255.0 0 0

the adres you try to translate with nat 1 and global 1 statements is in the same subnet. So, better thing to do would be:

nat (inside) 0 access-list nonat

access-list nonat deny ip host 204.142.253.55 any

access-list nonat permit ip 204.142.253.0 255.255.255.0 any

of course this is just one way to do it.....

I think you have other global and nat statements on your pix which gives the translation to the adres 192.231.232.136

Hope this helps

Leo Mourits

88
Views
0
Helpful
4
Replies
CreatePlease login to create content