topic Please share the current in Network Security

PIX Firewall Config Setup Static & NAT PIX 501 6.3

Laith7640 — Tue, 12 Mar 2019 09:21:34 GMT

Hi,

I have two Internal hosts that I would like to nat them but every time I'm trying to add the second host I'm getting a duplicate of existing static error.

I also tried to create a group for this two hosts and add them statically into the nat rules but the same thing.

Internal IP address

192.168.11.122

192.168.11.20

I have this configuration into the PIX

global (outside) 1 192.168.100.1
static (inside,outside) 192.168.100.1 192.168.11.122 netmask 255.255.255.255 0 0

here is the error when I'm adding the second host

DC1N-AZAOC-PIX-02(config)# static (inside,outside) 192.168.100.1 192.168.11.20 netmask 255.255.255.255
ERROR: duplicate of existing static

from inside:192.168.11.122 to outside:192.168.200.3 netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]

Please help

You're cannot have a static

Marvin Rhoads — Sun, 14 May 2017 03:06:44 GMT

You're cannot have a static NAT for two hosts to the same outside address. You could let the dynamic nat (global type) handle it.

Marvin,

Laith7640 — Sun, 14 May 2017 03:15:17 GMT

Marvin,

thanks for the quick response, would u please show me how to reconfigure it or what is going to be the correct syntax to do dynamic nat

You're halfway there with

jj27 — Sun, 14 May 2017 11:13:12 GMT

You're halfway there with your existing configuration.

These two commands will dynamically NAT hosts in the 192.168.11.0 subnet to 192.168.100.1.

nat (inside) 1 192.168.11.0 255.255.255.0   <--- this assumes it is a /24.
global (outside) 1 192.168.100.1

That's correct @jjohnston1127

Marvin Rhoads — Sun, 14 May 2017 15:13:07 GMT

That's correct jjohnston1127

Laith7640 Please let us know if that works for you.

still not working, I'm not

Laith7640 — Mon, 15 May 2017 03:02:17 GMT

still not working, I'm not able to ping the other side public IP address, from the server

that has the IP address 192.168.11.122 everything works just fine but the other one

with dynamic nat still not working

Please share the current

Marvin Rhoads — Mon, 15 May 2017 03:08:48 GMT

Please share the current output of these two commands:

show run nat

show run policy-map

Your Pix software is so old it does not support the packet-tracer command (introduced in 7.2(1)) that we would normally use for troubleshooting.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p1.html

router# sh run policy-map:

Laith7640 — Mon, 15 May 2017 03:59:02 GMT

router# sh run policy-map
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

access-group 100 in interface outside

access-list 100 permit icmp host 192.168.11.20 host 192.168.100.1
access-list 100 permit icmp host 192.168.100.1 host 192.168.11.20

Sorry but the old software is

Marvin Rhoads — Mon, 15 May 2017 03:59:03 GMT

Sorry but the old software is not even giving the correct output for those basic statements.

Could you just attach the whole configuration ("show run" output)?

Oh - and by the way - you will never be able to ping (get an icmp echo reply) the server's public IP address from the server itself. You need to verify the configuration by trying to ping a remote system from the server or, if you have allowed icmp inbound access, by pinging the server's public IP address from a remote system.

Marvin,jjohnston1127

Laith7640 — Tue, 16 May 2017 16:12:54 GMT

Marvin,jjohnston1127

Big Thanks to you guys finally I got this to work.

What I had to do to get this working is the following

1- Remove the static Nat translation

Static (inside, outside) 192.168.100.1 192.168.11.20 netmask 255.255.255.255

2- Add the dynamic NAT

nat (inside) 1 192.168.11.0 255.255.255.0

3- Clear Xlate