https://community.cisco.com/t5/network-security/nat-issue/m-p/1125280#M893907 <HTML><HEAD></HEAD><BODY><P>Jon,</P><P>Sorry I was a little to vague.</P><P>Here is an example of the config that I currently have in place that does not work correctly:</P><P></P><P>access-list inbound2 extended permit tcp 192.168.3.0 255.255.255.0 host 172.16.199.207 eq smtp </P><P>access-list inbound2 extended permit tcp 192.168.209.64 255.255.255.192 host 172.16.199.207 eq smtp </P><P>access-list inbound2 extended permit tcp 192.168.3.0 255.255.255.0 host 172.16.199.208 eq smtp </P><P>access-list inbound2 extended permit tcp 192.168.209.64 255.255.255.192 host 172.16.199.208 eq smtp </P><P></P><P>access-group inbound2 in interface outside</P><P></P><P>global (outside) 2 interface </P><P>global (outside) 1 172.16.199.202</P><P>global (outside) 3 172.16.199.206</P><P>nat (inside) 0 access-list nonat</P><P>nat (inside) 2 access-list allownat</P><P>nat (inside) 1 10.99.99.33 255.255.255.255</P><P>nat (inside) 3 10.99.99.61 255.255.255.255</P><P></P><P>static (inside,outside) tcp 172.16.199.207 smtp 10.99.99.61 smtp netmask 255.255.255.255 </P><P>static (inside,outside) tcp 172.16.199.208 smtp 10.99.99.33 smtp netmask 255.255.255.255 </P><P></P><P>The IP of the "interface" is 172.16.199.194</P><P></P><P>Whenever I check to see what IP I am showing to the world as on the 10.99.99.61 server it always comes back to 172.16.199.194 but I want it to be 172.16.199.206.</P><P>But I do not want to change what the rest of the clients going out to the world are seen as which should stay 172.16.199.194.</P><P></P><P>Thanks,</P><P>Joe</P></BODY></HTML> Thu, 06 Nov 2008 21:31:28 GMT joeduea67 2008-11-06T21:31:28Z https://community.cisco.com/t5/network-security/nat-issue/m-p/1125278#M893902 <P>I am having problems getting a server on the inside of my network to be seen as a specific IP to the world.</P><P></P><P>The inside server is 10.99.99.61</P><P>The outside address should be 172.16.199.206</P><P>The global address for the PIX is 172.16.199.194</P><P></P><P>What statements should I have in place to make it map correctly?</P><P></P><P>Thanks</P><P></P> Mon, 11 Mar 2019 14:09:24 GMT https://community.cisco.com/t5/network-security/nat-issue/m-p/1125278#M893902 joeduea67 2019-03-11T14:09:24Z https://community.cisco.com/t5/network-security/nat-issue/m-p/1125279#M893905 <HTML><HEAD></HEAD><BODY><P>Joe</P><P></P><P>static (inside,outside) 172.16.199.206 10.99.99.61</P><P></P><P>then you will need to add into your acl on the outside interface </P><P></P><P>access-list outside_in permit tcp any host 172.16.199.206 eq www</P><P></P><P>Note - i have given an example using http. you can modify to match what you want to allow.</P><P></P><P>Edit - if you don't already have an acl on the outside interface you will need to apply the acl from above </P><P></P><P>access-group outside_in in interface outside</P><P></P><P>Be aware that there is an implicit "deny ip any any" at the end of any access-list.</P><P></P><P>Jon</P></BODY></HTML> Thu, 06 Nov 2008 20:29:03 GMT https://community.cisco.com/t5/network-security/nat-issue/m-p/1125279#M893905 Jon Marshall 2008-11-06T20:29:03Z https://community.cisco.com/t5/network-security/nat-issue/m-p/1125280#M893907 <HTML><HEAD></HEAD><BODY><P>Jon,</P><P>Sorry I was a little to vague.</P><P>Here is an example of the config that I currently have in place that does not work correctly:</P><P></P><P>access-list inbound2 extended permit tcp 192.168.3.0 255.255.255.0 host 172.16.199.207 eq smtp </P><P>access-list inbound2 extended permit tcp 192.168.209.64 255.255.255.192 host 172.16.199.207 eq smtp </P><P>access-list inbound2 extended permit tcp 192.168.3.0 255.255.255.0 host 172.16.199.208 eq smtp </P><P>access-list inbound2 extended permit tcp 192.168.209.64 255.255.255.192 host 172.16.199.208 eq smtp </P><P></P><P>access-group inbound2 in interface outside</P><P></P><P>global (outside) 2 interface </P><P>global (outside) 1 172.16.199.202</P><P>global (outside) 3 172.16.199.206</P><P>nat (inside) 0 access-list nonat</P><P>nat (inside) 2 access-list allownat</P><P>nat (inside) 1 10.99.99.33 255.255.255.255</P><P>nat (inside) 3 10.99.99.61 255.255.255.255</P><P></P><P>static (inside,outside) tcp 172.16.199.207 smtp 10.99.99.61 smtp netmask 255.255.255.255 </P><P>static (inside,outside) tcp 172.16.199.208 smtp 10.99.99.33 smtp netmask 255.255.255.255 </P><P></P><P>The IP of the "interface" is 172.16.199.194</P><P></P><P>Whenever I check to see what IP I am showing to the world as on the 10.99.99.61 server it always comes back to 172.16.199.194 but I want it to be 172.16.199.206.</P><P>But I do not want to change what the rest of the clients going out to the world are seen as which should stay 172.16.199.194.</P><P></P><P>Thanks,</P><P>Joe</P></BODY></HTML> Thu, 06 Nov 2008 21:31:28 GMT https://community.cisco.com/t5/network-security/nat-issue/m-p/1125280#M893907 joeduea67 2008-11-06T21:31:28Z https://community.cisco.com/t5/network-security/nat-issue/m-p/1125281#M893908 <HTML><HEAD></HEAD><BODY><P>Joe</P><P></P><P>Can you remove </P><P></P><P>nat (inside) 3 10.99.99.61 255.255.255.255</P><P>global (outside) 3 172.16.199.206 255.255.255.255</P><P></P><P>and in it's place put </P><P></P><P>static (inside,outside) 172.16.199.206 10.99.99.61 netmask 255.255.255.255</P><P></P><P>you may also need to clear the xlate for this entry.</P><P></P><P>It's not clear from your config but what does access-list allownat do. It may be that this NAT takes effect before your nat 3 statement.</P><P></P><P>You haven't got any entries for .206 in your acl, are you going to add them.</P><P></P><P>Generally speaking servers that you want to present to the outside should use static (inside,outside) ... statements rather than nat/global statements. Nat/global statements are more commonly used for dynamic NAT.</P><P></P><P>Jon</P></BODY></HTML> Thu, 06 Nov 2008 21:38:09 GMT https://community.cisco.com/t5/network-security/nat-issue/m-p/1125281#M893908 Jon Marshall 2008-11-06T21:38:09Z https://community.cisco.com/t5/network-security/nat-issue/m-p/1125282#M893910 <HTML><HEAD></HEAD><BODY><P>Jon,</P><P>Thanks for the assistance. </P><P>Removing the nat (inside) statement for that specific server worked.</P><P>My only concern is that I have other static entries for that server so when I inserted the </P><P>static (inside,outside) 172.16.199.206 10.99.99.61 netmask 255.255.255.255 </P><P>entry i recieved a warning regarding their already being static entries, although it still inserted the line and works as expected.</P><P></P><P>Thanks,</P><P>Joe</P></BODY></HTML> Thu, 06 Nov 2008 22:29:33 GMT https://community.cisco.com/t5/network-security/nat-issue/m-p/1125282#M893910 joeduea67 2008-11-06T22:29:33Z https://community.cisco.com/t5/network-security/nat-issue/m-p/1125283#M893912 <HTML><HEAD></HEAD><BODY><P>Joe</P><P></P><P>You should be alright because you are using a different public IP in your other static statement ie. </P><P></P><P>static (inside,outside) tcp 172.16.199.207 smtp 10.99.99.61 smtp netmask 255.255.255.255 </P><P></P><P>you may want to check that your smtp still works but it should be fine.</P><P></P><P>What you could do if you get problems is map the specific ports as you have done with the static statement above rather than just all ports eg.</P><P></P><P>static (inside,outside) tcp 172.16.199.206 www 10.99.99.61 www </P><P></P><P>but it does depend how many ports you are allowing through to that server.</P><P></P><P>Glad you got it working and appreciate the rating.</P><P></P><P>Jon</P></BODY></HTML> Thu, 06 Nov 2008 22:36:40 GMT https://community.cisco.com/t5/network-security/nat-issue/m-p/1125283#M893912 Jon Marshall 2008-11-06T22:36:40Z