cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
681
Views
0
Helpful
5
Replies

NAT issue

joeduea67
Level 1
Level 1

I am having problems getting a server on the inside of my network to be seen as a specific IP to the world.

The inside server is 10.99.99.61

The outside address should be 172.16.199.206

The global address for the PIX is 172.16.199.194

What statements should I have in place to make it map correctly?

Thanks

1 Accepted Solution

Accepted Solutions

Joe

Can you remove

nat (inside) 3 10.99.99.61 255.255.255.255

global (outside) 3 172.16.199.206 255.255.255.255

and in it's place put

static (inside,outside) 172.16.199.206 10.99.99.61 netmask 255.255.255.255

you may also need to clear the xlate for this entry.

It's not clear from your config but what does access-list allownat do. It may be that this NAT takes effect before your nat 3 statement.

You haven't got any entries for .206 in your acl, are you going to add them.

Generally speaking servers that you want to present to the outside should use static (inside,outside) ... statements rather than nat/global statements. Nat/global statements are more commonly used for dynamic NAT.

Jon

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

Joe

static (inside,outside) 172.16.199.206 10.99.99.61

then you will need to add into your acl on the outside interface

access-list outside_in permit tcp any host 172.16.199.206 eq www

Note - i have given an example using http. you can modify to match what you want to allow.

Edit - if you don't already have an acl on the outside interface you will need to apply the acl from above

access-group outside_in in interface outside

Be aware that there is an implicit "deny ip any any" at the end of any access-list.

Jon

Jon,

Sorry I was a little to vague.

Here is an example of the config that I currently have in place that does not work correctly:

access-list inbound2 extended permit tcp 192.168.3.0 255.255.255.0 host 172.16.199.207 eq smtp

access-list inbound2 extended permit tcp 192.168.209.64 255.255.255.192 host 172.16.199.207 eq smtp

access-list inbound2 extended permit tcp 192.168.3.0 255.255.255.0 host 172.16.199.208 eq smtp

access-list inbound2 extended permit tcp 192.168.209.64 255.255.255.192 host 172.16.199.208 eq smtp

access-group inbound2 in interface outside

global (outside) 2 interface

global (outside) 1 172.16.199.202

global (outside) 3 172.16.199.206

nat (inside) 0 access-list nonat

nat (inside) 2 access-list allownat

nat (inside) 1 10.99.99.33 255.255.255.255

nat (inside) 3 10.99.99.61 255.255.255.255

static (inside,outside) tcp 172.16.199.207 smtp 10.99.99.61 smtp netmask 255.255.255.255

static (inside,outside) tcp 172.16.199.208 smtp 10.99.99.33 smtp netmask 255.255.255.255

The IP of the "interface" is 172.16.199.194

Whenever I check to see what IP I am showing to the world as on the 10.99.99.61 server it always comes back to 172.16.199.194 but I want it to be 172.16.199.206.

But I do not want to change what the rest of the clients going out to the world are seen as which should stay 172.16.199.194.

Thanks,

Joe

Joe

Can you remove

nat (inside) 3 10.99.99.61 255.255.255.255

global (outside) 3 172.16.199.206 255.255.255.255

and in it's place put

static (inside,outside) 172.16.199.206 10.99.99.61 netmask 255.255.255.255

you may also need to clear the xlate for this entry.

It's not clear from your config but what does access-list allownat do. It may be that this NAT takes effect before your nat 3 statement.

You haven't got any entries for .206 in your acl, are you going to add them.

Generally speaking servers that you want to present to the outside should use static (inside,outside) ... statements rather than nat/global statements. Nat/global statements are more commonly used for dynamic NAT.

Jon

Jon,

Thanks for the assistance.

Removing the nat (inside) statement for that specific server worked.

My only concern is that I have other static entries for that server so when I inserted the

static (inside,outside) 172.16.199.206 10.99.99.61 netmask 255.255.255.255

entry i recieved a warning regarding their already being static entries, although it still inserted the line and works as expected.

Thanks,

Joe

Joe

You should be alright because you are using a different public IP in your other static statement ie.

static (inside,outside) tcp 172.16.199.207 smtp 10.99.99.61 smtp netmask 255.255.255.255

you may want to check that your smtp still works but it should be fine.

What you could do if you get problems is map the specific ports as you have done with the static statement above rather than just all ports eg.

static (inside,outside) tcp 172.16.199.206 www 10.99.99.61 www

but it does depend how many ports you are allowing through to that server.

Glad you got it working and appreciate the rating.

Jon

Review Cisco Networking for a $25 gift card