Not an ACL problem. Did u clear xlate after adding the static NAT? Also, make sure that the IP is valid and not taken by any other machine on the public side. Static NAT should take precedence over PAT.

Let me know if this works,

Regards,

I don't think it's an ACL problem either.

The two public IPs are valid, I checked it connecting laptop directly to the modem. I assigned those IPs in turn to the laptop and was able to access the Internet.

I didn't clear xlate after adding the static, could you tell me some more about that? Actually it doesn't work if I load the whole config to the PIX and put it on the network.

Could it be an issue with the Internet provider? How could I possibly test to prove their fault? We have several similar configs with other clients and they work.

Thank you.

Well, the default time out for a translation is 3 hours. Therefore, if you were having PAT entry in the trasnlation table for the server and then you add the static entry, the PAT entry will still be there. Therefore, it is better to issue the clear xlate which will clear the translation table. SHOW xlate will show you the PAT and NAT translations. Check to make sure you see the translation for the server.

I suggest using another IP such as 245 or 246 just to make sure that nobody has these IPs on the outside switch.

Other suggestion, start from scratch troubleshooting:

1- Ping the PIX from the Server

2- Traceroute from the server to the outside world

3- Make sure you don't have any ACL applied on the Internal interface.

Let me know how it goes,

Another thing to try:

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.255.255.0

Waiting for your feedback,

Thank you very much for the answers. I cannot try what you have advised just yet, it's a production environment. I have configured port redirection on an outside PIX interface, 61.90.90.242:25 -> 10.0.0.10:25, it works and the client is happy.

Just a bit more of theory.

Suppose I have a NAT on the interface, the server accesses the Internet, translation entry is created:

PAT Global 61.90.90.242(1378) Local 10.0.0.100(26721)

Now I add my static nat statement:

static(inside, outside) 61.90.90.243 10.0.0.100 netmask 255.255.255.255 0 0

I try to access the Internet from the server again, wouldn't the server be using interface PAT as it did before I added the static ? In other words, would the server be using interface PAT or static NAT when it initiated an outbound connection to the Internet?

Thank you very much for your help.

Well, the server will be using the PAT and if you have enabled access from outside to that particular server it won't be successfull.

I wish you could try the things I told you so that we know where was the problem.

Good to know that your customer is happy,

Regards,

One thing to note for you is that since u did static NAT with port redirection, the server will be using the PAT from outgoing connections. You can check that by going to www.whatismyip.com on the server and you will see the PAT IP.

Regards,

wouldn't the static entry take precedence over PAT?

I tried static NAT/PAT config in the lab, ran a network analizer on the PIX default gateway and the capture showed statically mapped IP as source address for packets going from inside network to the world.

Can you paste the whole PIX config maybe I can spote any other issue?

Thanks,