https://community.cisco.com/t5/network-security/pix-515-version-6-3-nat-ing-question/m-p/736861#M1001546 <HTML><HEAD></HEAD><BODY><P>I am trying to make it so that only the data going from my internal 47.15 gets nat'd to 3.21 and info going to all other locations continues as was stated before. The firewall is currently working in the enviroment as:</P><P></P><P>global (outside_datae) 1 192.168.1.25 </P><P>global (outside_datap) 2 192.168.3.25 </P><P>nat (inside) 1 access-list datae </P><P>nat (inside) 2 access-list datap</P><P>access-group data_e in interface outside_datae </P><P>access-group data_p in interface outside_datap</P><P></P><P>I have added the enteries in my first post to get access to a different location on the outside, but have a specific translation on that address. The first post I made has the changes I added and I was just wondering the implications of my changes. Hopefully they don't break what was already there.</P></BODY></HTML> Mon, 23 Jul 2007 14:39:43 GMT ericluoma 2007-07-23T14:39:43Z https://community.cisco.com/t5/network-security/pix-515-version-6-3-nat-ing-question/m-p/736858#M1001530 <P>is the following ok? I am unsure if I can nat my 47.15 address to 3.21 with the interface alreading having a NAT that appears to be for all traffic going over the interface. Any guidence on this would be great.</P><P></P><P></P><P></P><P>global (outside_datae) 1 192.168.1.25</P><P>global (outside_datap) 2 192.168.3.25</P><P>global (outside_datap) 3 192.168.3.21</P><P></P><P>nat (inside) 1 access-list datae</P><P>nat (inside) 2 access-list datap</P><P>nat (inside) 3 192.168.47.15</P><P>access-group data_e in interface outside_datae</P><P>access-group data_p in interface outside_datap</P> Mon, 11 Mar 2019 10:48:02 GMT https://community.cisco.com/t5/network-security/pix-515-version-6-3-nat-ing-question/m-p/736858#M1001530 ericluoma 2019-03-11T10:48:02Z https://community.cisco.com/t5/network-security/pix-515-version-6-3-nat-ing-question/m-p/736859#M1001536 <HTML><HEAD></HEAD><BODY><P>assuming 192.168.47.15 is a single host address and not a network address, it's better to use the static command.</P><P></P><P>static (inside,outside_datap) 192.168.3.21 192.168.47.15</P><P></P><P>this also depends on what you're trying to accomplish. the way you have it, it's actually set up for PAT (aka NAT overloading) and not a true 1:1 static NAT. If you want inbound connections to be allowed to 192.168.47.15, you should use the static command.</P><P>depending on what ACL's datae and datap look like, the nat 3 statement may never take affect. </P></BODY></HTML> Mon, 23 Jul 2007 14:09:33 GMT https://community.cisco.com/t5/network-security/pix-515-version-6-3-nat-ing-question/m-p/736859#M1001536 srue 2007-07-23T14:09:33Z https://community.cisco.com/t5/network-security/pix-515-version-6-3-nat-ing-question/m-p/736860#M1001542 <HTML><HEAD></HEAD><BODY><P>The more specific one wins. !!</P><P></P><P>Gilbert</P></BODY></HTML> Mon, 23 Jul 2007 14:18:07 GMT https://community.cisco.com/t5/network-security/pix-515-version-6-3-nat-ing-question/m-p/736860#M1001542 ggilbert 2007-07-23T14:18:07Z https://community.cisco.com/t5/network-security/pix-515-version-6-3-nat-ing-question/m-p/736861#M1001546 <HTML><HEAD></HEAD><BODY><P>I am trying to make it so that only the data going from my internal 47.15 gets nat'd to 3.21 and info going to all other locations continues as was stated before. The firewall is currently working in the enviroment as:</P><P></P><P>global (outside_datae) 1 192.168.1.25 </P><P>global (outside_datap) 2 192.168.3.25 </P><P>nat (inside) 1 access-list datae </P><P>nat (inside) 2 access-list datap</P><P>access-group data_e in interface outside_datae </P><P>access-group data_p in interface outside_datap</P><P></P><P>I have added the enteries in my first post to get access to a different location on the outside, but have a specific translation on that address. The first post I made has the changes I added and I was just wondering the implications of my changes. Hopefully they don't break what was already there.</P></BODY></HTML> Mon, 23 Jul 2007 14:39:43 GMT https://community.cisco.com/t5/network-security/pix-515-version-6-3-nat-ing-question/m-p/736861#M1001546 ericluoma 2007-07-23T14:39:43Z https://community.cisco.com/t5/network-security/pix-515-version-6-3-nat-ing-question/m-p/736862#M1001552 <HTML><HEAD></HEAD><BODY><P>According to your configuration, you have an access-list called as "datae" and "data_e" &amp; "datap" and "data_p"</P><P></P><P>the access-list with "_" is applied to the interface.</P><P></P><P>The access-list without "_" is applied to the nat statements.</P><P></P><P>Let me know if there is anything you would need help with in this issue.</P></BODY></HTML> Thu, 26 Jul 2007 14:38:33 GMT https://community.cisco.com/t5/network-security/pix-515-version-6-3-nat-ing-question/m-p/736862#M1001552 ggilbert 2007-07-26T14:38:33Z