A network architecture is like this: PIX firewall, inside (private static IP 192.168.1.1), and the LAN of private static IPs 192.168.1.0 255.255.255.0, the outside (only one public IP available, i.e., 172.18.124.216).
For the LAN hosts to access to the outside such as internet, obviously, a PAT is needed. This is Many to One translation.
Now for any outside hosts to access to the inside web server such as 192.168.1.2, a permit and IP translation have to be done. Usually, the translation will say:
1) If I understand it correctly, from inside to outside is PAT, many to one, while from outside to inside is One to One static translation. Is this correct? How could both many to one , and one to one co-exist on the same PIX?
2) What does the last two 0's stand for in the Static statement above ( 0 0 )?
The answer to question 1 is that they use different IP addresses.
For instance your PAT configuration on the PIX:
NAT (inside) 1 0 0
Global (outside) 1 interface
ip address outside 172.18.124.1 255.255.255.0
In this example all the outbound connections (those that start on the inside) will use the source address of 172.18.124.1 on the Internet. But each will use a different source port, thats the PAT part.
If you add a static translation, this maps 2 specific IP addresses to each other.
an inside PC with the address 192.168.1.2 will map to 172.18.124.216. If you start a connection from that PC it will use the source address of 172.18.124.216.
This behaviour is modified when you include the www in the static, I think outbound connection from 192.168.1.2 will only use the address defined in the static if the source port is TCP 80, try it and see.
Any other inside address would use the outside address of the PIX as its source.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :