https://community.cisco.com/t5/network-security/pix-static-problem/m-p/121128#M614161 <P>We are using a parameter interface PIX 520.Problem is that here.</P><P>1. Already defined a static entry </P><P>static (inside,outside) 203.125.152.243 172.16.206.21 netmask 255.255.255.255 0 0</P><P>2.want to allow a WAN link with IP's 172.17.0.0/16 to pass through PIX transparent ( outside ) &amp; access the inside IP server 172.16.206.21.</P><P>Solution used : NAT 0....I can ping and traceroute both the outside IP's 172.20.23.51 etc from inside but cannot connect to the server application as there is an already defined static defined and we cannot have 2nd static like</P><P></P><P>static ( inside,outisde ) 172.16.206.21 172.16.206.21 netmask 255.255.255.255 0 0.</P><P></P><P>Here is the configuration.</P><P></P><P>access-list GPRSNONAT permit ip host 172.16.206.21 host 172.20.23.51</P><P>access-list GPRSNONAT permit ip host 172.16.206.21 host 172.20.10.66</P><P>access-list GPRSNONAT permit ip host 172.16.206.21 host 172.21.21.1</P><P>access-list GPRSNONAT permit ip host 172.16.206.21 host 172.21.21.2</P><P></P><P>nat (inside) 0 access-list GPRSNONAT</P><P></P><P>static (inside,outside) 203.125.152.243 172.16.206.21 netmask 255.255.255.255 0 0</P><P></P><P>Any help would be a great favor.</P><P></P> Fri, 21 Feb 2020 06:46:43 GMT damomann 2020-02-21T06:46:43Z https://community.cisco.com/t5/network-security/pix-static-problem/m-p/121128#M614161 <P>We are using a parameter interface PIX 520.Problem is that here.</P><P>1. Already defined a static entry </P><P>static (inside,outside) 203.125.152.243 172.16.206.21 netmask 255.255.255.255 0 0</P><P>2.want to allow a WAN link with IP's 172.17.0.0/16 to pass through PIX transparent ( outside ) &amp; access the inside IP server 172.16.206.21.</P><P>Solution used : NAT 0....I can ping and traceroute both the outside IP's 172.20.23.51 etc from inside but cannot connect to the server application as there is an already defined static defined and we cannot have 2nd static like</P><P></P><P>static ( inside,outisde ) 172.16.206.21 172.16.206.21 netmask 255.255.255.255 0 0.</P><P></P><P>Here is the configuration.</P><P></P><P>access-list GPRSNONAT permit ip host 172.16.206.21 host 172.20.23.51</P><P>access-list GPRSNONAT permit ip host 172.16.206.21 host 172.20.10.66</P><P>access-list GPRSNONAT permit ip host 172.16.206.21 host 172.21.21.1</P><P>access-list GPRSNONAT permit ip host 172.16.206.21 host 172.21.21.2</P><P></P><P>nat (inside) 0 access-list GPRSNONAT</P><P></P><P>static (inside,outside) 203.125.152.243 172.16.206.21 netmask 255.255.255.255 0 0</P><P></P><P>Any help would be a great favor.</P><P></P> Fri, 21 Feb 2020 06:46:43 GMT https://community.cisco.com/t5/network-security/pix-static-problem/m-p/121128#M614161 damomann 2020-02-21T06:46:43Z https://community.cisco.com/t5/network-security/pix-static-problem/m-p/121129#M614162 <HTML><HEAD></HEAD><BODY><P>If I understand your problem correctly I think the solution is to use Destination NAT. Here's an example:</P><P></P><P>alias(inside) 203.125.152.243 172.16.206.21 netmask 255.255.255.255</P><P></P><P>For more information refer to the section in this link:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml#dmz" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml#dmz</A></P><P></P><P>Hope this helps,</P><P>Cody Rowland</P><P>Infrastructure Engineer</P><P></P></BODY></HTML> Tue, 03 Jun 2003 11:25:39 GMT https://community.cisco.com/t5/network-security/pix-static-problem/m-p/121129#M614162 cody.rowland 2003-06-03T11:25:39Z https://community.cisco.com/t5/network-security/pix-static-problem/m-p/121130#M614163 <HTML><HEAD></HEAD><BODY><P>That static statement is fine. Based on your info in items 1 and 2 above, your ACL should look like this:</P><P></P><P>access-list GPRSNONAT permit ip host 172.16.206.21 172.17.0.0 255.255.0.0</P><P></P><P>You also need an ACL to allow the traffic in:</P><P></P><P>access-list outside permit ip 172.17.0.0 255.255.0.0 host 172.16.206.2</P><P>access-group outside in interface outside</P><P></P><P>The WAN IPs you reference in item #2 above don't match the other IPs you mention and reference in the nat0 ACL.</P><P>access-group outside in interface outside</P><P></P><P>After all changes are made, you must perform a [clear xlate local 172.16.206.21].</P></BODY></HTML> Tue, 03 Jun 2003 13:06:22 GMT https://community.cisco.com/t5/network-security/pix-static-problem/m-p/121130#M614163 shannong 2003-06-03T13:06:22Z