Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
826
Views
10
Helpful
7
Replies

PIX 501 static and dynamic NAT

richmorrow624
Level 1
Level 1

‎10-28-2006 06:11 PM - edited ‎02-21-2020 01:16 AM

Will a PIX 501 6.3 support a static NAT to a single Internet IP address for a mail server and allow PAT behind the same Internet IP address to a couple of workstations?

Once I configure the static NAT, the PAT for the workstations stops working.

If I remove the static address for the mail server, I can PAT again.

0 Helpful
7 Replies 7

jgervia_2
Level 1
Level 1

‎10-28-2006 06:58 PM

Hey Rich,

Just so I'm understanding this correctly:

You want a mail server to access the internet and be accessible behind an IP address (ie: inside IP address is 1.1.1.1 and outside is 2.2.2.2).

You also want all the hosts (1.1.1.2 - 254) to also PAT to 2.2.2.2.

If you just put a static in:

static (inside,outside) 2.2.2.2 1.1.1.1 netmask 255.255.255.255

That will take precedence over your global so that *any* traffic going to 2.2.2.2 goes back to 1.1.1.1 assuming you have something the equivalent of

nat (inside) 1 1.1.1.0 255.255.255.0

global (outside) 1 2.2.2.2

So all your return traffic from the internet to your other hosts won't work.

What you really need to do is make your static specific: You only need this for mail, correct? Replace your static with:

static (inside,outside) tcp 2.2.2.2 1.1.1.1 25 netmask 255.255.255.255

So that the static is only used for SMTP (port 25) - which should allow it to be used for mail.

Don't forget to do a 'clear xlate' when you're done reconfiguring.

Also, you can read up on static pat in the command reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801cd841.html#wp1026694

Don't forget to rate if it helps!

--Jason

richmorrow624
Level 1
Level 1
In response to jgervia_2

‎10-30-2006 05:11 PM

Thanks for the reply Jason.

Are you saying that I should keep the global config:

nat (inside) 1 1.1.1.0 255.255.255.0

global (outside) 1 2.2.2.2

An add the static for the mail server?

0 Helpful

jgervia_2
Level 1
Level 1
In response to richmorrow624

‎10-30-2006 05:37 PM

Hello,

Yes, remove the static you have, and replace it with this one:

static (inside,outside) tcp 2.2.2.2 1.1.1.1 25 netmask 255.255.255.255

and then do a clear xlate and then see if it works.

--Jason

Please rate if this helps.

0 Helpful

richmorrow624
Level 1
Level 1
In response to jgervia_2

‎10-30-2006 07:13 PM

Result:

invalid global port 192.168.1.100

My config has the following:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

It will not let me make the change

0 Helpful

jgervia_2
Level 1
Level 1
In response to richmorrow624

‎10-31-2006 04:52 AM

static (blah,outside) tcp 1.1.1.1 smtp 2.2.2.2 smtp netmask 255.255.255.255

The syntax was wrong.

richmorrow624
Level 1
Level 1
In response to jgervia_2

‎11-01-2006 04:15 AM

Thanks man,

That looks like it did the trick.

0 Helpful

jgervia_2
Level 1
Level 1
In response to richmorrow624

‎11-01-2006 05:41 AM

Excellent!

Don't forget to mark this as having solved your issue!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card