Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2615
Views
10
Helpful
9
Replies

PIX Firewall Config Setup Static & NAT PIX 501 6.3

Go to solution
Laith7640
Level 1
Level 1

‎05-12-2017 08:38 PM - edited ‎03-12-2019 02:21 AM

Hi,

I have two Internal hosts that I would like to nat them but every time I'm trying to add the second host I'm getting a duplicate of existing static error.

I also tried to create a group for this two hosts and add them statically into the nat rules but the same thing.

Internal IP address 

192.168.11.122

192.168.11.20

I have this configuration into the PIX 

global (outside) 1 192.168.100.1
static (inside,outside) 192.168.100.1 192.168.11.122 netmask 255.255.255.255 0 0

here is the error when I'm adding the second host 

DC1N-AZAOC-PIX-02(config)# static (inside,outside) 192.168.100.1 192.168.11.20 netmask 255.255.255.255 
ERROR: duplicate of existing static

from inside:192.168.11.122 to outside:192.168.200.3 netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]

Please help 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jj27
Spotlight
Spotlight
In response to Laith7640

‎05-14-2017 04:13 AM

You're halfway there with your existing configuration.

These two commands will dynamically NAT hosts in the 192.168.11.0 subnet to 192.168.100.1.

nat (inside) 1 192.168.11.0 255.255.255.0   <--- this assumes it is a /24.
global (outside) 1 192.168.100.1

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Laith7640

‎05-14-2017 08:08 PM

Please share the current output of these two commands:

show run nat

show run policy-map

Your Pix software is so old it does not support the packet-tracer command (introduced in 7.2(1)) that we would normally use for troubleshooting.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p1.html

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-13-2017 08:06 PM

You're cannot have a static NAT for two hosts to the same outside address. You could let the dynamic nat (global type) handle it. 

Go to solution
Laith7640
Level 1
Level 1
In response to Marvin Rhoads

‎05-13-2017 08:15 PM

Marvin,

thanks for the quick response, would u please show me how to reconfigure it or what is going to be the correct syntax to do dynamic nat 

0 Helpful

Go to solution
jj27
Spotlight
Spotlight
In response to Laith7640

‎05-14-2017 04:13 AM

You're halfway there with your existing configuration.

These two commands will dynamically NAT hosts in the 192.168.11.0 subnet to 192.168.100.1.

nat (inside) 1 192.168.11.0 255.255.255.0   <--- this assumes it is a /24.
global (outside) 1 192.168.100.1

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jj27

‎05-14-2017 08:13 AM

That's correct jjohnston1127  

Laith7640  Please let us know if that works for you.

Go to solution
Laith7640
Level 1
Level 1
In response to Marvin Rhoads

‎05-14-2017 08:02 PM

still not working, I'm not able to ping the other side public IP address, from the server   

that has the IP address 192.168.11.122   everything works just fine but the other one 

with dynamic nat still not working 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Laith7640

‎05-14-2017 08:08 PM

Please share the current output of these two commands:

show run nat

show run policy-map

Your Pix software is so old it does not support the packet-tracer command (introduced in 7.2(1)) that we would normally use for troubleshooting.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p1.html

0 Helpful

Go to solution
Laith7640
Level 1
Level 1
In response to Marvin Rhoads

‎05-14-2017 08:59 PM

router# sh run policy-map
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

access-group 100 in interface outside

access-list 100 permit icmp host 192.168.11.20 host 192.168.100.1
access-list 100 permit icmp host 192.168.100.1 host 192.168.11.20

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Laith7640

‎05-14-2017 08:59 PM

Sorry but the old software is not even giving the correct output for those basic statements.

Could you just attach the whole configuration ("show run" output)?

Oh - and by the way - you will never be able to ping (get an icmp echo reply) the server's public IP address from the server itself. You need to verify the configuration by trying to ping a remote system from the server or, if you have allowed icmp inbound access, by pinging the server's public IP address from a remote system.

0 Helpful

Go to solution
Laith7640
Level 1
Level 1
In response to Marvin Rhoads

‎05-16-2017 09:12 AM

Marvin,jjohnston1127  

Big Thanks to you guys finally I got this to work.

What I had to do to get this working  is the following

 1- Remove the static Nat translation  

Static (inside, outside) 192.168.100.1 192.168.11.20 netmask 255.255.255.255

2- Add the dynamic NAT

nat (inside) 1 192.168.11.0 255.255.255.0

3- Clear Xlate 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card