https://community.cisco.com/t5/network-security/static-pat-acl-help/m-p/1365278#M734340 <DIV dir="ltr"><SPAN style="font-size: 10pt; color: #000000; font-family: Tahoma;">Hello,</SPAN></DIV><DIV dir="ltr"> </DIV><DIV dir="ltr"><SPAN style="font-size: 10pt; font-family: tahoma;">I have a client that needs access to a particular server on the DMZ from the outside Interface - I have created a static PAT statement 1200 translated to 1200 (I have created the 1200 port so they can access this particular server) and created an access-list from outside to the DMZ. When i run packet tracer it fails at the last part at the NAT.</SPAN></DIV><P></P><P><SPAN style="font-size: 10pt; font-family: tahoma;"></SPAN></P><DIV dir="ltr">Type - NAT<BR />Subtype - rpf-check<BR />Action - DROP<BR />Show rule in NAT Rules table. <BR />Config<BR />static (DMZ,Outside) tcp interface 1200 access-list DMZ_nat_static_2 <BR />nat-control match tcp DMZ host 2.2.2.2eq 1200 <BR />Outside host 80.80.80.80 static translation to 90.90.90.90/1200 translate_hits = 0, untranslate_hits = 11</DIV><DIV dir="ltr"> </DIV><DIV dir="ltr">config;</DIV><DIV dir="ltr"> </DIV><DIV dir="ltr"><DIV dir="ltr">static (DMZ,Outside) tcp interface 1200 access-list DMZ_nat_static_2</DIV><DIV dir="ltr"><SPAN style="font-family: tahoma;">access-list DMZ extended permit object-group DM_INLINE_PROTOCOL_1 host 2.2.2.2 host 80.80.80.80 </SPAN></DIV><DIV dir="ltr"><SPAN style="font-family: tahoma;">access-list DMZ_nat_static_2 extended permit tcp host 2.2.2.2. host eq 1200 host 80.80.80.80</SPAN></DIV><DIV dir="ltr"><SPAN style="font-family: tahoma;">access-list Outside_access_in extended permit tcp host 80.80.80.80 host 2.2.2.2&nbsp; </SPAN></DIV><DIV dir="ltr"> </DIV><DIV dir="ltr">Not sure if the above access-list/PAT are correct</DIV><DIV dir="ltr"> </DIV><DIV dir="ltr">Thanks</DIV></DIV><P></P> Mon, 11 Mar 2019 17:33:13 GMT tahirs001 2019-03-11T17:33:13Z https://community.cisco.com/t5/network-security/static-pat-acl-help/m-p/1365278#M734340 <DIV dir="ltr"><SPAN style="font-size: 10pt; color: #000000; font-family: Tahoma;">Hello,</SPAN></DIV><DIV dir="ltr"> </DIV><DIV dir="ltr"><SPAN style="font-size: 10pt; font-family: tahoma;">I have a client that needs access to a particular server on the DMZ from the outside Interface - I have created a static PAT statement 1200 translated to 1200 (I have created the 1200 port so they can access this particular server) and created an access-list from outside to the DMZ. When i run packet tracer it fails at the last part at the NAT.</SPAN></DIV><P></P><P><SPAN style="font-size: 10pt; font-family: tahoma;"></SPAN></P><DIV dir="ltr">Type - NAT<BR />Subtype - rpf-check<BR />Action - DROP<BR />Show rule in NAT Rules table. <BR />Config<BR />static (DMZ,Outside) tcp interface 1200 access-list DMZ_nat_static_2 <BR />nat-control match tcp DMZ host 2.2.2.2eq 1200 <BR />Outside host 80.80.80.80 static translation to 90.90.90.90/1200 translate_hits = 0, untranslate_hits = 11</DIV><DIV dir="ltr"> </DIV><DIV dir="ltr">config;</DIV><DIV dir="ltr"> </DIV><DIV dir="ltr"><DIV dir="ltr">static (DMZ,Outside) tcp interface 1200 access-list DMZ_nat_static_2</DIV><DIV dir="ltr"><SPAN style="font-family: tahoma;">access-list DMZ extended permit object-group DM_INLINE_PROTOCOL_1 host 2.2.2.2 host 80.80.80.80 </SPAN></DIV><DIV dir="ltr"><SPAN style="font-family: tahoma;">access-list DMZ_nat_static_2 extended permit tcp host 2.2.2.2. host eq 1200 host 80.80.80.80</SPAN></DIV><DIV dir="ltr"><SPAN style="font-family: tahoma;">access-list Outside_access_in extended permit tcp host 80.80.80.80 host 2.2.2.2&nbsp; </SPAN></DIV><DIV dir="ltr"> </DIV><DIV dir="ltr">Not sure if the above access-list/PAT are correct</DIV><DIV dir="ltr"> </DIV><DIV dir="ltr">Thanks</DIV></DIV><P></P> Mon, 11 Mar 2019 17:33:13 GMT https://community.cisco.com/t5/network-security/static-pat-acl-help/m-p/1365278#M734340 tahirs001 2019-03-11T17:33:13Z https://community.cisco.com/t5/network-security/static-pat-acl-help/m-p/1365279#M734341 <HTML><HEAD></HEAD><BODY><P>Doesn't look correct.</P><P></P><P>Can you please advise what is the ip address of the outside interface, and the ip address of the DMZ server?</P></BODY></HTML> Thu, 15 Apr 2010 10:17:09 GMT https://community.cisco.com/t5/network-security/static-pat-acl-help/m-p/1365279#M734341 Jennifer Halim 2010-04-15T10:17:09Z https://community.cisco.com/t5/network-security/static-pat-acl-help/m-p/1365280#M734342 <HTML><HEAD></HEAD><BODY><P><SPAN style="background-color: #f8fafd;">I will give made up IP</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Remote IP:&nbsp; 22.22.22.22</SPAN></P><P><SPAN style="background-color: #f8fafd;">My outside IP: 11.11.11.11</SPAN></P><P><SPAN style="background-color: #f8fafd;">My DMZ Server: 33.33.33.33</SPAN></P></BODY></HTML> Thu, 15 Apr 2010 11:08:52 GMT https://community.cisco.com/t5/network-security/static-pat-acl-help/m-p/1365280#M734342 tahirs001 2010-04-15T11:08:52Z https://community.cisco.com/t5/network-security/static-pat-acl-help/m-p/1365281#M734343 <HTML><HEAD></HEAD><BODY><P>OK, base on the following information:</P><P></P><P><SPAN style="background-color: #f8fafd;">Remote IP:&nbsp;&nbsp; 22.22.22.22</SPAN></P><P><SPAN style="background-color: #f8fafd;">My outside IP: 11.11.11.11</SPAN></P><P><SPAN style="background-color: #f8fafd;">My DMZ Server: 33.33.33.33</SPAN></P><P></P><P>You can configure the following:</P><P></P><P>static (DMZ,Outside) tcp interface 1200 <SPAN style="background-color: #f8fafd;">33.33.33.33 1200 netmask 255.255.255.255</SPAN></P><P>access-list <SPAN style="font-size: 10pt; font-family: tahoma; ">Outside_access_in permit tcp host </SPAN><SPAN style="background-color: #f8fafd;">22.22.22.22 host </SPAN><SPAN style="background-color: #f8fafd;">11.11.11.11 eq 1200</SPAN></P><P></P><P>I assume you already have the following:</P><P>access-group <SPAN style="font-size: 10pt; font-family: tahoma; ">Outside_access_in in interface outside</SPAN></P><P></P><P><STRONG>OR/</STRONG> alternatively if you need to be very specific that only traffic from 22.22.22.22 needs to be translated, then the following:</P><P></P><P>access-list DMZ-NAT permit tcp host 33.33.33.33 eq 1200 host 22.22.22.22 eq 1200</P><P>static (DMZ,Outside) tcp interface 1200 <SPAN style="background-color: #f8fafd;">access-list DMZ-NAT<BR /></SPAN></P></BODY></HTML> Thu, 15 Apr 2010 12:07:45 GMT https://community.cisco.com/t5/network-security/static-pat-acl-help/m-p/1365281#M734343 Jennifer Halim 2010-04-15T12:07:45Z https://community.cisco.com/t5/network-security/static-pat-acl-help/m-p/1365282#M734344 <HTML><HEAD></HEAD><BODY><P>Thanks, I will give that a bash</P><P></P><P>I have sent you a PM. Can you have a look please?</P></BODY></HTML> Thu, 15 Apr 2010 12:17:46 GMT https://community.cisco.com/t5/network-security/static-pat-acl-help/m-p/1365282#M734344 tahirs001 2010-04-15T12:17:46Z