Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
521
Views
9
Helpful
9
Replies

PIX Global IP

zulqurnain
Level 3
Level 3

‎04-16-2006 10:23 PM - edited ‎02-21-2020 12:50 AM

can anyone just tell me that on PIX 515E is it important to have a global statement, meaning i have few ip address given by service provider out of which we have one setup for the global statement in pix. also we have NAT for different server.

problem which i face is that since the global statement is in place every ip going out is seen as the global ip even though i have setup NAT. i hope my point is clear. therefore i was planning to just drop the global statement but i am not so sure about the effect. any idea or help would be great.

0 Helpful
9 Replies 9

Patrick Laidlaw
Level 4
Level 4

‎04-16-2006 10:35 PM

Well without the global statement only the ip address's that are natted will be able to talk to the rest of the world.

If you post your config we can look it over for you. Your servers that are natted should be going out using there natted ip address's.

Patrick

0 Helpful

Fernando_Meza
Level 7
Level 7

‎04-16-2006 11:02 PM

there must be a mistake on your configs. The static NAT always takes precedence over your nat - global instruction. meaning that any traffic going out from your NATes servers should use its static global address and not the one been configured for PAT. please send the configs

0 Helpful

zulqurnain
Level 3
Level 3
In response to Fernando_Meza

‎04-16-2006 11:30 PM

Yeah I also believe that something is definately not correct here, actually i inherited this setup from the last admin, who had left without a clue.. anyways. attachment is here.

Preview file
8 KB
0 Helpful

Fernando_Meza
Level 7
Level 7
In response to zulqurnain

‎04-17-2006 12:18 AM

mmm.. I see what is happening here. It seems NAT policy on those static statements are causing this issue .. you should not have any problem with host 172.20.4.208 though ... nothing wrong with the configuration but it is just the way NAT works. I suggest using a one to one NAT static instead of policy NAT i.e

static (inside,outside) 213.130.119.60 172.20.4.162 netmask 255.255.255.255

You can the configure your ACL applied to the outside interface to only allow pop3 and smtp to 213.130.119.60

0 Helpful

zulqurnain
Level 3
Level 3
In response to Fernando_Meza

‎04-17-2006 10:32 PM

Thanks i believe i got the picture but could you be more Elaborative as what needs to be done. i dont want to do without being sure what would be the effect.

secondly, you are talking about policy NAT ????

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to zulqurnain

‎04-17-2006 10:45 PM

oops sorry ..

1.- add

access-list acl_out permit tcp any host 213.130.119.60 eq pop3

2.- Remove

no static (inside,outside) tcp 213.130.119.60 pop3 172.20.4.162 pop3 netmask 255.255.255.255

no static (inside,outside) tcp 213.130.119.60 smtp 172.20.4.162 smtp netmask 255.255.255.255

clear xlate

3.- Add

static (inside,outside) 213.130.119.60 172.20.4.162 netmask 255.255.255.255

clear xlate

Test and then save the config.

NOTE: The change shoudl be transparent .. but if you are not very confident then do it after hours.

joneschw1
Level 1
Level 1
In response to Fernando_Meza

‎04-18-2006 09:07 AM

The clear xlate will break all current sessions, so you would see a quick outage.

0 Helpful

zulqurnain
Level 3
Level 3
In response to joneschw1

‎04-19-2006 08:47 PM

Thanks guys, it worked

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to zulqurnain

‎04-19-2006 09:26 PM

great ... don't forget to score and resolve the issue ..

Cheers,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card