https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256047#M859046 <HTML><HEAD></HEAD><BODY><P>Here is more details about the situation:</P><P></P><P>Fisrt, I have the commandes:</P><P>ACL:</P><P>permit tcp any 'public@ip1' eq www</P><P>permit ip any 'public@ip2</P><P></P><P>NAT:</P><P>static (inside,outside) tcp public@ip1 www private@ip1 www</P><P>static (inside,outisde) public@ip2 private@ip2</P><P></P><P>Access to the first ip@ with web is working (tested by telnetting the 80 port). But nothing is permitted to the second ip@ (no reply when telnet)</P><P></P><P>I inverted the ACLs and NAT (ip@1 with ip@2) and still the same, the first is OK and not the same.</P><P></P><P>If the server is not well configured, can I see the session open when translated by the PIX but not opened on the server?</P><P></P><P>Regards,</P></BODY></HTML> Tue, 30 Jun 2009 09:47:20 GMT omar.elmohri 2009-06-30T09:47:20Z https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256040#M859029 <P>With PIX 6.3</P><P>I'm using a static IP-to-IP translation also ACL permission, and I'm unable to access to the inside.</P><P></P><P>What's may be wrong?</P><P></P><P>Regards,</P><P>Omar</P> Mon, 11 Mar 2019 15:49:20 GMT https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256040#M859029 omar.elmohri 2019-03-11T15:49:20Z https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256041#M859031 <HTML><HEAD></HEAD><BODY><P>Your acl could be using the wrong destination address, you could be using the wrong internal address - check both of these.</P><P></P><P>HTH&gt;</P></BODY></HTML> Tue, 30 Jun 2009 07:58:19 GMT https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256041#M859031 andrew.prince 2009-06-30T07:58:19Z https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256042#M859035 <HTML><HEAD></HEAD><BODY><P>The ACL is recording matches!! and the Static translation is fine.</P></BODY></HTML> Tue, 30 Jun 2009 08:00:36 GMT https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256042#M859035 omar.elmohri 2009-06-30T08:00:36Z https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256043#M859037 <HTML><HEAD></HEAD><BODY><P>Then you need to check if the internal device is actually listening on the UDP/TCP port numbers you have defined in your ACL.</P><P></P><P>Also if the internal device has internet access - goto <A class="jive-link-custom" href="http://www.whatismyip.com" target="_blank">www.whatismyip.com</A> and confirm the NAT translation is 100% correct.</P></BODY></HTML> Tue, 30 Jun 2009 08:03:27 GMT https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256043#M859037 andrew.prince 2009-06-30T08:03:27Z https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256044#M859040 <HTML><HEAD></HEAD><BODY><P>When using the 'show xlate' that don't show details on that PIX edition, is there a way for that?</P></BODY></HTML> Tue, 30 Jun 2009 08:08:26 GMT https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256044#M859040 omar.elmohri 2009-06-30T08:08:26Z https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256045#M859042 <HTML><HEAD></HEAD><BODY><P>AFAIK - there is not much, see the below command reference:-</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1084248" target="_blank">http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1084248</A></P><P></P><P></P></BODY></HTML> Tue, 30 Jun 2009 08:14:23 GMT https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256045#M859042 andrew.prince 2009-06-30T08:14:23Z https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256046#M859044 <HTML><HEAD></HEAD><BODY><P>I'll try to review all that points and give a feedback.</P></BODY></HTML> Tue, 30 Jun 2009 08:19:44 GMT https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256046#M859044 omar.elmohri 2009-06-30T08:19:44Z https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256047#M859046 <HTML><HEAD></HEAD><BODY><P>Here is more details about the situation:</P><P></P><P>Fisrt, I have the commandes:</P><P>ACL:</P><P>permit tcp any 'public@ip1' eq www</P><P>permit ip any 'public@ip2</P><P></P><P>NAT:</P><P>static (inside,outside) tcp public@ip1 www private@ip1 www</P><P>static (inside,outisde) public@ip2 private@ip2</P><P></P><P>Access to the first ip@ with web is working (tested by telnetting the 80 port). But nothing is permitted to the second ip@ (no reply when telnet)</P><P></P><P>I inverted the ACLs and NAT (ip@1 with ip@2) and still the same, the first is OK and not the same.</P><P></P><P>If the server is not well configured, can I see the session open when translated by the PIX but not opened on the server?</P><P></P><P>Regards,</P></BODY></HTML> Tue, 30 Jun 2009 09:47:20 GMT https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256047#M859046 omar.elmohri 2009-06-30T09:47:20Z https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256048#M859047 <HTML><HEAD></HEAD><BODY><P>To check the servers, if they are windows @ the command line type "netstat -a" this will tell you what ports TCP/UDP the server is listening on and has current sessions.</P><P></P><P>Another good test is try to connect to the servers on the inside!</P></BODY></HTML> Tue, 30 Jun 2009 09:50:30 GMT https://community.cisco.com/t5/network-security/ip-to-ip-static-nat/m-p/1256048#M859047 andrew.prince 2009-06-30T09:50:30Z