Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX Static Problem

We are using a parameter interface PIX 520.Problem is that here.

1. Already defined a static entry

static (inside,outside) 203.125.152.243 172.16.206.21 netmask 255.255.255.255 0 0

2.want to allow a WAN link with IP's 172.17.0.0/16 to pass through PIX transparent ( outside ) & access the inside IP server 172.16.206.21.

Solution used : NAT 0....I can ping and traceroute both the outside IP's 172.20.23.51 etc from inside but cannot connect to the server application as there is an already defined static defined and we cannot have 2nd static like

static ( inside,outisde ) 172.16.206.21 172.16.206.21 netmask 255.255.255.255 0 0.

Here is the configuration.

access-list GPRSNONAT permit ip host 172.16.206.21 host 172.20.23.51

access-list GPRSNONAT permit ip host 172.16.206.21 host 172.20.10.66

access-list GPRSNONAT permit ip host 172.16.206.21 host 172.21.21.1

access-list GPRSNONAT permit ip host 172.16.206.21 host 172.21.21.2

nat (inside) 0 access-list GPRSNONAT

static (inside,outside) 203.125.152.243 172.16.206.21 netmask 255.255.255.255 0 0

Any help would be a great favor.

2 REPLIES
New Member

Re: PIX Static Problem

If I understand your problem correctly I think the solution is to use Destination NAT. Here's an example:

alias(inside) 203.125.152.243 172.16.206.21 netmask 255.255.255.255

For more information refer to the section in this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml#dmz

Hope this helps,

Cody Rowland

Infrastructure Engineer

Silver

Re: PIX Static Problem

That static statement is fine. Based on your info in items 1 and 2 above, your ACL should look like this:

access-list GPRSNONAT permit ip host 172.16.206.21 172.17.0.0 255.255.0.0

You also need an ACL to allow the traffic in:

access-list outside permit ip 172.17.0.0 255.255.0.0 host 172.16.206.2

access-group outside in interface outside

The WAN IPs you reference in item #2 above don't match the other IPs you mention and reference in the nat0 ACL.

access-group outside in interface outside

After all changes are made, you must perform a [clear xlate local 172.16.206.21].

148
Views
0
Helpful
2
Replies
CreatePlease to create content