Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

PAT-config

Will this static config work based on the defined global & nat command?

global (outside) 1 169.139.1.20-169.139.1.20 netmask 255.255.0.0

global (ssn) 1 169.139.254.101-169.139.254.101 netmask 255.255.0.0

nat (inside) 1 10.0.0.0 255.0.0.0 16384 11468

nat (ssn) 1 169.139.254.0 255.255.255.0 16384 11468

!

static (ssn,outside) 169.139.1.174 169.139.254.174 netmask 255.255.255.255 0 0

4 REPLIES
New Member

Re: PAT-config

By using addresses within the same range (both in 169.139.0.0/16) you created a conflict. Could you state which addresses (and mask) you are using your each network?

New Member

Re: PAT-config

Can this conflict be resolved by creating two seperate nat id ?

Also, those global addresses are my public and they all are 16 bit masks.

New Member

Re: PAT-config

I'm sure the whole /16 isn't in front on the PIX in one lump.

A basic config could be:

- SSN is A.B.C.1/24

- Outside is Z.Y.X.1/28

Then the PAT rules could be:

nat (inside) 1 0 0

global (outside) 1 interface

global (ssn) 1 interface

This is assuming that the basic security policy is:

- inside to SSN allow, hide behind PAT

- inside to outside allow, hide behind PAT

Are there any other connections required?

New Member

Re: PAT-config

The concept is to hide ssn(dmz) and have their addresses 169.139.254.0/24 translated to an outside address. Likewise to have internal 10.0.0.0 be translated to an outside address.

also, to use specific stactic commands to to map individual hosts on the DMZ with a known public address.

I know that the /16 is a lot, but that's what the client has. I will investigate this part with the client.

110
Views
0
Helpful
4
Replies
CreatePlease to create content