Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1244
Views
0
Helpful
2
Replies

Reg: Nat Question on pix

Go to solution
kuldeep.kaur
Level 1
Level 1

‎08-25-2011 08:53 PM - edited ‎03-11-2019 02:17 PM

Hi Guys,

I have a question on Nat. All my inside hosts when goes out to internet are getting natted with the pix outside interface ip address when they access internet. Now I would like to assign a single host on the inside a static global ip address.

Now if I configure this one to one static rule for this single host, question is will it use the pix outside interface ip address for natting or the static rule will take preference.

Could some one also please send me a link on how the nat works, i.e. the steps involved in nat checking.

Tks Guys.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jitendriya Athavale
Cisco Employee
Cisco Employee

‎08-25-2011 08:59 PM

static nat will take preference

for 8.2 and before this is the order

nat exempt (nat (inside) 0)

static nat

global rules

in 8.3 and above it is the order in which we put the rules

everything you need to know about nat

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jitendriya Athavale
Cisco Employee
Cisco Employee

‎08-25-2011 08:59 PM

static nat will take preference

for 8.2 and before this is the order

nat exempt (nat (inside) 0)

static nat

global rules

in 8.3 and above it is the order in which we put the rules

everything you need to know about nat

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html

0 Helpful

Go to solution
varrao
Level 10
Level 10

‎08-25-2011 09:04 PM

Hi Kuldeep,

Whenever you create a static rule for a host, it will always take precendence over the dynamic pat that you have already configured for isnide hosts, which means that when this host goes to the internet it would take the ip defined in static nat. Now there are two ways to do:

1 ----> You have a spare public IP and you do one to one nat for it.

static (inside,outside)

2---->  You do static port forwarding with the outside interface, remember do not do one to one with outside interface, otherwise the internet access for inside users woudl be lost. If its a webeserver and you just need access to port 443, then:

static (inside,outside) tcp 443 443

You can go through this for more info:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

Hope this helps you out.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card