Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
949
Views
0
Helpful
3
Replies

NAT Complications

Go to solution
andrewburridge
Level 2
Level 2

‎07-28-2011 03:45 AM - edited ‎03-11-2019 02:05 PM

Hi Guys, was hoping you could help.  I'm getting myself in a big muddle with regards to NATing, and could do with some clarity.

We have a setup whereby there are 2 firewalls back to back on a 172.22.11.0/24 subnet.  I control one firewall, another company (company B)  the other.  My PIX has its outside interface as 172.22.11.254, and its inside interface as 172.22.255.21.

I'm trying to set up a NAT whereby clients on my inside network can connect to 172.22.11.11 (as this is routable by me) on a specific port, and this will NAT them to the real address 172.31.36.6 on the same port, on the other side of company B's firewall.  Company B are doing the reverse.

I've allowed traffic to come into the firewall's inside interface, and can see it entering.  There is a dynamic NAT mapping any traffic from the inside interface to the outside.

I've set up a static NAT policy rule on the outside interface, taking a source IP of the outside interface (172.22.11.254), a destination of 172.22.11.11, a static translation to 172.31.36.6, and the relevant port translation, but this doesn't work.  Looking at the logs, I can't see anything even attempting to be translated.

I know this is a lot to take in, but any ideas where I'm going wrong?

Thanks for any suggestions.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎07-28-2011 05:07 AM

Andrew

I've set up a static NAT policy rule on the outside interface, taking a source IP of the outside interface (172.22.11.254), a destination of 172.22.11.11, a static translation to 172.31.36.6, and the relevant port translation, but this doesn't work.  Looking at the logs, I can't see anything even attempting to be translated.

I'm not sure what you mean by the bit in bold. But from your requirements have you tried -

static (outside,inside) 172.22.11.11 172.31.36.6 netmask 255.255.255.255

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎07-28-2011 05:07 AM

Andrew

I've set up a static NAT policy rule on the outside interface, taking a source IP of the outside interface (172.22.11.254), a destination of 172.22.11.11, a static translation to 172.31.36.6, and the relevant port translation, but this doesn't work.  Looking at the logs, I can't see anything even attempting to be translated.

I'm not sure what you mean by the bit in bold. But from your requirements have you tried -

static (outside,inside) 172.22.11.11 172.31.36.6 netmask 255.255.255.255

Jon

0 Helpful

Go to solution
andrewburridge
Level 2
Level 2
In response to Jon Marshall

‎07-28-2011 06:33 AM

Hi Jon,

That appears to be working now, at least from my end.  I was going through the GUI and ended up applying the NAT the wrong way round by the looks of things.  Lesson learned, alway stick to the CLI!

Thanks,

Andy

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to andrewburridge

‎07-28-2011 06:39 AM

Andy

Couldn't agree more. GUIs are useful sometimes but i never got on with ASDM at all.  I would fire it up and by the time i had worked out what to do i could have configured 3 firewalls by using the CLI

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card