Re: Pix 515 Nat/Static ?

k.nebroski · ‎05-20-2004

I have a pix 515, with inside, dmz, and outside enabled. I am using a 192.xxx address on the inside, the dmz has routeable 64.xxx addresses and the outside has a single address that connects to our ISP.

To get from the inside to the outside I use the following 2 commands:

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0 0 0

Which works, I then added the following static to allow inside to dmz:

static (inside,dmz) 192.168.131.0 192.168.131.0 netmask 255.255.255.0 0 0

Which also worked.

Now I want to have the dmz access the outside with the real IP addresses of the devices. I'm confused as to which command to use and the correct syntax. I've tried the following with different variations:

static (dmz,outside) 64.4.94.0 64.4.94.0 netmask 255.255.255.0 0 0

I haven't got to the point were I limit the type of access to specific devices/ports, as I haven't got this simple (I thought it was) process to work.

Thanks for any help.

gfullage · ‎05-20-2004

The static command should work, or alternatively, if you just want to allow traffic out and not NAT it just do:

nat (dmz) 0 64.4.94.0 255.255.255.0

The "0" number says specifically "don't NAT this traffic", so it'll just go straight out. Do a "clear xlate" after changing/adding static/nat commands, that may be your problem. Also, if this has never worked, make sure your ISP is routing traffic for the 64.4.94.0 subnet to you, don't assume that's happening correctly.