cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
508
Views
0
Helpful
3
Replies

PIX-515E NAT Static Problem

iec1128759
Level 1
Level 1

I have a problem with a PIX'm trying to make a NAT, and want to know if it may be with any origin, as would be the expression to make a static NAT?

I need help with this problem

static (outside, inside) 172.31.89.5 any_source 255.255.255.0 0 0

Greetings.

Version

Cisco PIX Firewall Version 6.3(4)

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

If you are going to NAT Multiple addresses to One address then you would typically use a Dynamic PAT.

You can't use "any" in the Static NAT configuration. Atleast to my understanding.

Could you elaborate a bit what it is exactly that you are trying to achieve?

I notice that you are trying to configure some NAT for which source addresses are located behind "outside" and the NAT IP address is on the "inside" interfaces side.

- Jouni

I'm trying to make a double nat to change the source and destination origin be any internet source but switch to your destination 172.31.89.5 and 172.31.65.5, this second NAT and what I have, but I have no idea how do any NAT

Hi,

I am afraid that I still didnt quite get the whole situation yet.

You do mention that you want to do double NAT? This is something that would be way more easier in the ASA firewalls with newer software. Both your firewall and its software are very old.

But for examples sake, lets say that you have a Static NAT for some of your internal host/server. Lets also say that you want to NAT all incoming traffic destined to that Static NAT IP address of the server to a single IP address, then you would probably have to use Static NAT + Dynamic Policy PAT

It might look something like this

access-list DYNAMIC-POLICYPAT permit ip any host 1.1.1.1

nat (outside) 100 access-list DYNAMIC-POLICYPAT outside

global (inside) 100 2.2.2.2

static (inside,outside) 1.1.1.1 3.3.3.3 netmask 255.255.255.255

To my understanding the above should do so that when traffic from "any" source address behind "outside" is coming towards the IP address 1.1.1.1 THEN the source addresses would be Dynamic PATed to IP address 2.2.2.2 and the IP 1.1.1.1 would be untranslated to the real IP address of 3.3.3.3

So

  • Real Source Address: any
  • Mapped Source Address: 2.2.2.2
  • Mapped Destination Address: 1.1.1.1
  • Real Destination Address: 3.3.3.3

But again it is hard to say if this is the configuration type you are looking for based on your earlier reply.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: