- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2010 01:15 PM - edited 03-11-2019 11:23 AM
how can i do this:
access-list AL200 permit ip host 172.16.11.27 Units 255.255.192.0
access-list AL200 permit ip host 172.16.11.27 Routers 255.255.255.248
access-list AL200 permit ip host 172.16.11.27 host IMSA
access-list AL200 permit ip host 172.16.11.27 host EIserver
access-list AL200 permit ip host 172.16.11.26 host GGSNnew
access-list AL200 permit ip host 172.16.11.26 Meterpool 255.255.240.0
static (production,outside) 172.16.11.200 access-list AL200 0 0
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2010 01:59 PM
You can policy PAT traffic from just two hosts to the given IP address (this will only work outbound), but you cannot do it with the configuration above. The policy PAT would look somewhat like this:
nat (production) 11 access-list AL200
global (outside) 11 172.16.11.200
Andrew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2010 01:16 PM
Forgot to mention that i need to do this on a Cisco PIX 506e
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2010 01:54 PM
So what i am trying to do is not possible?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2010 02:13 PM
You are unable to do this in PIX506 - 6.x code?
-KS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2010 01:52 PM
Hello Rick,
Since static NAT creates one-to-one mappings by definition, you cannot translate the traffic from two hosts to the same IP. You need to either provision several mapped addresses for the static mapping or use dynamic policy NAT instead:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129
Andrew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2010 01:55 PM
so what you are trying to say it is not possible at all? i dont understand could you give me some directions?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2010 01:59 PM
You can policy PAT traffic from just two hosts to the given IP address (this will only work outbound), but you cannot do it with the configuration above. The policy PAT would look somewhat like this:
nat (production) 11 access-list AL200
global (outside) 11 172.16.11.200
Andrew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2010 02:05 PM
thank you so much this worked as a charm.
What kind off problems could this give?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2010 02:10 PM
Glad it helped! It is a fairly standard NAT configuration, so it should work without problems. The only caveat is that you cannot initiate reverse connections from outside between the hosts and subnets identified in the ACL.
Andrew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2010 02:17 PM
I dont really understand your last post. Does this mean no traffic could come in on 172.16.11.200?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2010 02:19 PM
That is correct, you cannot initiate inbound connections to 172.16.11.200. This is the main property of dynamic PAT. In order to initiate inbound connections, you must have one-to-one mapping with either one IP per inside host or one port per inside service (static PAT).
Andrew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2010 02:23 PM
hmmmm thats gonna be a problem cause these rules initiate from both sides:
access-list AL200 permit ip host 172.16.11.26 host TMGGSNnew
access-list AL200 permit ip host 172.16.11.26 TMmeterpool 255.255.240.0
i there a work-around for this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2010 02:26 PM
The workaround is to dedicate one mapped (public) IP to each inside (private) host. I.e.:
access-list AL200 permit ip host 172.16.11.27 Units 255.255.192.0
access-list AL200 permit ip host 172.16.11.27 Routers 255.255.255.248
access-list AL200 permit ip host 172.16.11.27 host IMSA
access-list AL200 permit ip host 172.16.11.27 host EIserver
access-list AL201 permit ip host 172.16.11.26 host GGSNnew
access-list AL201 permit ip host 172.16.11.26 Meterpool 255.255.240.0
static (production,outside) 172.16.11.200 access-list AL200
static (production,outside) 172.16.11.201 access-list AL201
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2010 02:29 PM
172.16.11.201 doesnt have access to the VPNs... so thats a no go...
The problem is that on the old server we had 2 environments which went to 3 VPNS... all using the 200 NAT. Now we made two new server (1 goes to 2 vpns and 1 goes to the third). They still need to do so with the 200 NAT
