Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 501 static and dynamic NAT

Will a PIX 501 6.3 support a static NAT to a single Internet IP address for a mail server and allow PAT behind the same Internet IP address to a couple of workstations?

Once I configure the static NAT, the PAT for the workstations stops working.

If I remove the static address for the mail server, I can PAT again.

7 REPLIES
Bronze

Re: PIX 501 static and dynamic NAT

Hey Rich,

Just so I'm understanding this correctly:

You want a mail server to access the internet and be accessible behind an IP address (ie: inside IP address is 1.1.1.1 and outside is 2.2.2.2).

You also want all the hosts (1.1.1.2 - 254) to also PAT to 2.2.2.2.

If you just put a static in:

static (inside,outside) 2.2.2.2 1.1.1.1 netmask 255.255.255.255

That will take precedence over your global so that *any* traffic going to 2.2.2.2 goes back to 1.1.1.1 assuming you have something the equivalent of

nat (inside) 1 1.1.1.0 255.255.255.0

global (outside) 1 2.2.2.2

So all your return traffic from the internet to your other hosts won't work.

What you really need to do is make your static specific: You only need this for mail, correct? Replace your static with:

static (inside,outside) tcp 2.2.2.2 1.1.1.1 25 netmask 255.255.255.255

So that the static is only used for SMTP (port 25) - which should allow it to be used for mail.

Don't forget to do a 'clear xlate' when you're done reconfiguring.

Also, you can read up on static pat in the command reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801cd841.html#wp1026694

Don't forget to rate if it helps!

--Jason

New Member

Re: PIX 501 static and dynamic NAT

Thanks for the reply Jason.

Are you saying that I should keep the global config:

nat (inside) 1 1.1.1.0 255.255.255.0

global (outside) 1 2.2.2.2

An add the static for the mail server?

Bronze

Re: PIX 501 static and dynamic NAT

Hello,

Yes, remove the static you have, and replace it with this one:

static (inside,outside) tcp 2.2.2.2 1.1.1.1 25 netmask 255.255.255.255

and then do a clear xlate and then see if it works.

--Jason

Please rate if this helps.

New Member

Re: PIX 501 static and dynamic NAT

Result:

invalid global port 192.168.1.100

My config has the following:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

It will not let me make the change

Bronze

Re: PIX 501 static and dynamic NAT

static (blah,outside) tcp 1.1.1.1 smtp 2.2.2.2 smtp netmask 255.255.255.255

The syntax was wrong.

New Member

Re: PIX 501 static and dynamic NAT

Thanks man,

That looks like it did the trick.

Bronze

Re: PIX 501 static and dynamic NAT

Excellent!

Don't forget to mark this as having solved your issue!

295
Views
10
Helpful
7
Replies
CreatePlease to create content