Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
424
Views
0
Helpful
2
Replies

PIX Static Problem

damomann
Level 1
Level 1

‎06-02-2003 09:21 PM - edited ‎02-20-2020 10:46 PM

We are using a parameter interface PIX 520.Problem is that here.

1. Already defined a static entry

static (inside,outside) 203.125.152.243 172.16.206.21 netmask 255.255.255.255 0 0

2.want to allow a WAN link with IP's 172.17.0.0/16 to pass through PIX transparent ( outside ) & access the inside IP server 172.16.206.21.

Solution used : NAT 0....I can ping and traceroute both the outside IP's 172.20.23.51 etc from inside but cannot connect to the server application as there is an already defined static defined and we cannot have 2nd static like

static ( inside,outisde ) 172.16.206.21 172.16.206.21 netmask 255.255.255.255 0 0.

Here is the configuration.

access-list GPRSNONAT permit ip host 172.16.206.21 host 172.20.23.51

access-list GPRSNONAT permit ip host 172.16.206.21 host 172.20.10.66

access-list GPRSNONAT permit ip host 172.16.206.21 host 172.21.21.1

access-list GPRSNONAT permit ip host 172.16.206.21 host 172.21.21.2

nat (inside) 0 access-list GPRSNONAT

static (inside,outside) 203.125.152.243 172.16.206.21 netmask 255.255.255.255 0 0

Any help would be a great favor.

0 Helpful
2 Replies 2

cody.rowland
Level 1
Level 1

‎06-03-2003 04:25 AM

If I understand your problem correctly I think the solution is to use Destination NAT. Here's an example:

alias(inside) 203.125.152.243 172.16.206.21 netmask 255.255.255.255

For more information refer to the section in this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml#dmz

Hope this helps,

Cody Rowland

Infrastructure Engineer

0 Helpful

shannong
Level 4
Level 4

‎06-03-2003 06:06 AM

That static statement is fine. Based on your info in items 1 and 2 above, your ACL should look like this:

access-list GPRSNONAT permit ip host 172.16.206.21 172.17.0.0 255.255.0.0

You also need an ACL to allow the traffic in:

access-list outside permit ip 172.17.0.0 255.255.0.0 host 172.16.206.2

access-group outside in interface outside

The WAN IPs you reference in item #2 above don't match the other IPs you mention and reference in the nat0 ACL.

access-group outside in interface outside

After all changes are made, you must perform a [clear xlate local 172.16.206.21].

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card