cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


717
Views
0
Helpful
2
Replies
Beginner

Reg: Nat Question on pix

Hi Guys,

I have a question on Nat. All my inside hosts when goes out to internet are getting natted with the pix outside interface ip address when they access internet. Now I would like to assign a single host on the inside a static global ip address.

Now if I configure this one to one static rule for this single host, question is will it use the pix outside interface ip address for natting or the static rule will take preference.

Could some one also please send me a link on how the nat works, i.e. the steps involved in nat checking.

Tks Guys.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Reg: Nat Question on pix

static nat will take preference

for 8.2 and before this is the order

nat exempt (nat (inside) 0)

static nat

global rules

in 8.3 and above it is the order in which we put the rules

everything you need to know about nat

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html

2 REPLIES 2
Cisco Employee

Reg: Nat Question on pix

static nat will take preference

for 8.2 and before this is the order

nat exempt (nat (inside) 0)

static nat

global rules

in 8.3 and above it is the order in which we put the rules

everything you need to know about nat

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html

Highlighted
Engager

Reg: Nat Question on pix

Hi Kuldeep,

Whenever you create a static rule for a host, it will always take precendence over the dynamic pat that you have already configured for isnide hosts, which means that when this host goes to the internet it would take the ip defined in static nat. Now there are two ways to do:

1 ----> You have a spare public IP and you do one to one nat for it.

static (inside,outside)

2---->  You do static port forwarding with the outside interface, remember do not do one to one with outside interface, otherwise the internet access for inside users woudl be lost. If its a webeserver and you just need access to port 443, then:

static (inside,outside) tcp 443 443

You can go through this for more info:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

Hope this helps you out.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC