https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566100#M502399 <HTML><HEAD></HEAD><BODY><P>there must be a mistake on your configs. The static NAT always takes precedence over your nat - global instruction. meaning that any traffic going out from your NATes servers should use its static global address and not the one been configured for PAT. please send the configs </P></BODY></HTML> Mon, 17 Apr 2006 06:02:33 GMT Fernando_Meza 2006-04-17T06:02:33Z https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566098#M502397 <P>can anyone just tell me that on PIX 515E is it important to have a global statement, meaning i have few ip address given by service provider out of which we have one setup for the global statement in pix. also we have NAT for different server. </P><P></P><P>problem which i face is that since the global statement is in place every ip going out is seen as the global ip even though i have setup NAT. i hope my point is clear. therefore i was planning to just drop the global statement but i am not so sure about the effect. any idea or help would be great. </P> Fri, 21 Feb 2020 08:50:34 GMT https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566098#M502397 zulqurnain 2020-02-21T08:50:34Z https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566099#M502398 <HTML><HEAD></HEAD><BODY><P>Well without the global statement only the ip address's that are natted will be able to talk to the rest of the world.</P><P></P><P>If you post your config we can look it over for you. Your servers that are natted should be going out using there natted ip address's.</P><P></P><P>Patrick</P></BODY></HTML> Mon, 17 Apr 2006 05:35:42 GMT https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566099#M502398 Patrick Laidlaw 2006-04-17T05:35:42Z https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566100#M502399 <HTML><HEAD></HEAD><BODY><P>there must be a mistake on your configs. The static NAT always takes precedence over your nat - global instruction. meaning that any traffic going out from your NATes servers should use its static global address and not the one been configured for PAT. please send the configs </P></BODY></HTML> Mon, 17 Apr 2006 06:02:33 GMT https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566100#M502399 Fernando_Meza 2006-04-17T06:02:33Z https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566101#M502400 <HTML><HEAD></HEAD><BODY><P>Yeah I also believe that something is definately not correct here, actually i inherited this setup from the last admin, who had left without a clue.. anyways. attachment is here. </P><P></P><P> </P><P></P></BODY></HTML> Mon, 17 Apr 2006 06:30:10 GMT https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566101#M502400 zulqurnain 2006-04-17T06:30:10Z https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566102#M502401 <HTML><HEAD></HEAD><BODY><P>mmm.. I see what is happening here. It seems NAT policy on those static statements are causing this issue .. you should not have any problem with host 172.20.4.208 though ... nothing wrong with the configuration but it is just the way NAT works. I suggest using a one to one NAT static instead of policy NAT i.e </P><P></P><P>static (inside,outside) 213.130.119.60 172.20.4.162 netmask 255.255.255.255 </P><P></P><P>You can the configure your ACL applied to the outside interface to only allow pop3 and smtp to 213.130.119.60</P><P></P><P></P><P></P><P></P></BODY></HTML> Mon, 17 Apr 2006 07:18:03 GMT https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566102#M502401 Fernando_Meza 2006-04-17T07:18:03Z https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566103#M502402 <HTML><HEAD></HEAD><BODY><P>Thanks i believe i got the picture but could you be more Elaborative as what needs to be done. i dont want to do without being sure what would be the effect. </P><P></P><P>secondly, you are talking about policy NAT ???? </P></BODY></HTML> Tue, 18 Apr 2006 05:32:07 GMT https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566103#M502402 zulqurnain 2006-04-18T05:32:07Z https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566104#M502403 <HTML><HEAD></HEAD><BODY><P>oops sorry ..</P><P></P><P>1.- add </P><P>access-list acl_out permit tcp any host 213.130.119.60 eq pop3</P><P></P><P>2.- Remove </P><P>no static (inside,outside) tcp 213.130.119.60 pop3 172.20.4.162 pop3 netmask 255.255.255.255 </P><P>no static (inside,outside) tcp 213.130.119.60 smtp 172.20.4.162 smtp netmask 255.255.255.255 </P><P>clear xlate</P><P></P><P>3.- Add </P><P>static (inside,outside) 213.130.119.60 172.20.4.162 netmask 255.255.255.255</P><P>clear xlate</P><P></P><P>Test and then save the config.</P><P></P><P>NOTE: The change shoudl be transparent .. but if you are not very confident then do it after hours.</P></BODY></HTML> Tue, 18 Apr 2006 05:45:18 GMT https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566104#M502403 Fernando_Meza 2006-04-18T05:45:18Z https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566105#M502404 <HTML><HEAD></HEAD><BODY><P>The clear xlate will break all current sessions, so you would see a quick outage.</P></BODY></HTML> Tue, 18 Apr 2006 16:07:13 GMT https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566105#M502404 joneschw1 2006-04-18T16:07:13Z https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566106#M502405 <HTML><HEAD></HEAD><BODY><P>Thanks guys, it worked </P><P></P><P></P></BODY></HTML> Thu, 20 Apr 2006 03:47:55 GMT https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566106#M502405 zulqurnain 2006-04-20T03:47:55Z https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566107#M502406 <HTML><HEAD></HEAD><BODY><P>great ... don't forget to score and resolve the issue .. </P><P></P><P>Cheers,</P><P></P></BODY></HTML> Thu, 20 Apr 2006 04:26:43 GMT https://community.cisco.com/t5/network-security/pix-global-ip/m-p/566107#M502406 Fernando_Meza 2006-04-20T04:26:43Z