09-02-2013 09:39 AM - edited 03-11-2019 07:33 PM
I have a problem with a PIX'm trying to make a NAT, and want to know if it may be with any origin, as would be the expression to make a static NAT?
I need help with this problem
static (outside, inside) 172.31.89.5 any_source 255.255.255.0 0 0
Greetings.
Version
Cisco PIX Firewall Version 6.3(4)
09-02-2013 09:43 AM
Hi,
If you are going to NAT Multiple addresses to One address then you would typically use a Dynamic PAT.
You can't use "any" in the Static NAT configuration. Atleast to my understanding.
Could you elaborate a bit what it is exactly that you are trying to achieve?
I notice that you are trying to configure some NAT for which source addresses are located behind "outside" and the NAT IP address is on the "inside" interfaces side.
- Jouni
09-02-2013 09:57 AM
I'm trying to make a double nat to change the source and destination origin be any internet source but switch to your destination 172.31.89.5 and 172.31.65.5, this second NAT and what I have, but I have no idea how do any NAT
09-02-2013 10:10 AM
Hi,
I am afraid that I still didnt quite get the whole situation yet.
You do mention that you want to do double NAT? This is something that would be way more easier in the ASA firewalls with newer software. Both your firewall and its software are very old.
But for examples sake, lets say that you have a Static NAT for some of your internal host/server. Lets also say that you want to NAT all incoming traffic destined to that Static NAT IP address of the server to a single IP address, then you would probably have to use Static NAT + Dynamic Policy PAT
It might look something like this
access-list DYNAMIC-POLICYPAT permit ip any host 1.1.1.1
nat (outside) 100 access-list DYNAMIC-POLICYPAT outside
global (inside) 100 2.2.2.2
static (inside,outside) 1.1.1.1 3.3.3.3 netmask 255.255.255.255
To my understanding the above should do so that when traffic from "any" source address behind "outside" is coming towards the IP address 1.1.1.1 THEN the source addresses would be Dynamic PATed to IP address 2.2.2.2 and the IP 1.1.1.1 would be untranslated to the real IP address of 3.3.3.3
So
But again it is hard to say if this is the configuration type you are looking for based on your earlier reply.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide