https://community.cisco.com/t5/network-security/pix-nat-pat-issue/m-p/591289#M498445 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>There is two points to clear:</P><P>1) Is the outside global address used in "global (outside) 25" identical to previously used?</P><P>2) According to your statements:</P><P></P><P>global (outside) 25 x.x.x.124 </P><P>nat (inside) 25 192.168.0.20 255.255.255.255 0 0</P><P></P><P>You want to translate a single inside local ip 12.168.0.20 in the inside to the inside global x.x.x.124</P><P>But this is a one-to-one translation! And this is equivalent to:</P><P>static (inside, outside) x.x.x.124 192.168.0.20</P><P></P><P>And if the last x.x.x.124 is the same as previously used, you should have a problem with the "global (outside) 25" and event with the "static" command, I have proposed, because you can use the same outside global address in different static command only if you use different ports (policy NAT)</P><P>So i suggest the following if I understood what you want:</P><P>=================================================================</P><P></P><P>access-list inbound permit tcp any host x.x.x.124 eq smtp</P><P>access-list inbound permit tcp any host x.x.x.124 eq www </P><P>!this acl statement concern traffic destined to 192.168.0.20 </P><P>access-list inbound permit tcp any host x.x.x.124 eq <PORTA> </PORTA></P><P></P><P>static (inside,outside) tcp x.x.x.124 smtp 192.168.0.22 smtp netmask 255.255.255.255 0 0 </P><P>!You add this line if you want to access to (192.168.0.20,portA) from the outside</P><P>static (inside,outside) tcp x.x.x.124 <PORTA> 192.168.0.20 <PORTA> netmask 255.255.255.255 0 0 </PORTA></PORTA></P><P>static (DMZ,outside) tcp x.x.x.124 www 172.16.30.1 www netmask 255.255.255.255 0 0 </P><P></P><P>global (outside) 1 x.x.x.114 </P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0 </P><P></P><P></P></BODY></HTML> Sun, 13 Aug 2006 07:52:15 GMT abdel_n 2006-08-13T07:52:15Z https://community.cisco.com/t5/network-security/pix-nat-pat-issue/m-p/591288#M498444 <P>I am having a problem with a nat/pat on a 515.</P><P></P><P>For smtp traffic coming in, I need to send the traffic to a Spam filter device, and the www traffic to the OWA box (inside the DMZ). When the mail goes out from the Exchange Server I need it to use a different global(outside) than the other address so that it is on the address with the Reverse DNS entry. So far I have:</P><P></P><P>access-list inbound line 2 permit tcp any host x.x.x.124 eq smtp (hitcnt=245082)</P><P>access-list inbound line 4 permit tcp any host x.x.x.124 eq www (hitcnt=2623)</P><P></P><P>static (inside,outside) tcp x.x.x.124 smtp 192.168.0.22 smtp netmask 255.255.255.255 0 0</P><P>static (DMZ,outside) tcp x.x.x.124 www 172.16.30.1 www netmask 255.255.255.255 0 0</P><P></P><P>global (outside) 1 x.x.x.114</P><P>global (outside) 25 x.x.x.124</P><P></P><P>nat (inside) 25 192.168.0.20 255.255.255.255 0 0</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0</P><P></P><P>The problem I have is when I add the nat (inside) 25 rule, then the Exchange server no longer routes past the Pix to the internet on outbound connections, but I can still connect to it remotely via RDP. I have ran a clear xlate, and still cannot get it to traverse the pix and talk out on the x.x.x.124 address.</P><P></P><P>This same config works for me on another client's pix, just doesn't want to work here. they are both version 6.3. The one that works is 6.3(4) while this one is 6.3(1). Is it a bug in that revision, or am I missing something else?</P><P></P><P>--Thanks in advance</P> Fri, 21 Feb 2020 09:06:38 GMT https://community.cisco.com/t5/network-security/pix-nat-pat-issue/m-p/591288#M498444 awmccurry 2020-02-21T09:06:38Z https://community.cisco.com/t5/network-security/pix-nat-pat-issue/m-p/591289#M498445 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>There is two points to clear:</P><P>1) Is the outside global address used in "global (outside) 25" identical to previously used?</P><P>2) According to your statements:</P><P></P><P>global (outside) 25 x.x.x.124 </P><P>nat (inside) 25 192.168.0.20 255.255.255.255 0 0</P><P></P><P>You want to translate a single inside local ip 12.168.0.20 in the inside to the inside global x.x.x.124</P><P>But this is a one-to-one translation! And this is equivalent to:</P><P>static (inside, outside) x.x.x.124 192.168.0.20</P><P></P><P>And if the last x.x.x.124 is the same as previously used, you should have a problem with the "global (outside) 25" and event with the "static" command, I have proposed, because you can use the same outside global address in different static command only if you use different ports (policy NAT)</P><P>So i suggest the following if I understood what you want:</P><P>=================================================================</P><P></P><P>access-list inbound permit tcp any host x.x.x.124 eq smtp</P><P>access-list inbound permit tcp any host x.x.x.124 eq www </P><P>!this acl statement concern traffic destined to 192.168.0.20 </P><P>access-list inbound permit tcp any host x.x.x.124 eq <PORTA> </PORTA></P><P></P><P>static (inside,outside) tcp x.x.x.124 smtp 192.168.0.22 smtp netmask 255.255.255.255 0 0 </P><P>!You add this line if you want to access to (192.168.0.20,portA) from the outside</P><P>static (inside,outside) tcp x.x.x.124 <PORTA> 192.168.0.20 <PORTA> netmask 255.255.255.255 0 0 </PORTA></PORTA></P><P>static (DMZ,outside) tcp x.x.x.124 www 172.16.30.1 www netmask 255.255.255.255 0 0 </P><P></P><P>global (outside) 1 x.x.x.114 </P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0 </P><P></P><P></P></BODY></HTML> Sun, 13 Aug 2006 07:52:15 GMT https://community.cisco.com/t5/network-security/pix-nat-pat-issue/m-p/591289#M498445 abdel_n 2006-08-13T07:52:15Z