cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
518
Views
9
Helpful
9
Replies

PIX Global IP

zulqurnain
Level 3
Level 3

can anyone just tell me that on PIX 515E is it important to have a global statement, meaning i have few ip address given by service provider out of which we have one setup for the global statement in pix. also we have NAT for different server.

problem which i face is that since the global statement is in place every ip going out is seen as the global ip even though i have setup NAT. i hope my point is clear. therefore i was planning to just drop the global statement but i am not so sure about the effect. any idea or help would be great.

9 Replies 9

Patrick Laidlaw
Level 4
Level 4

Well without the global statement only the ip address's that are natted will be able to talk to the rest of the world.

If you post your config we can look it over for you. Your servers that are natted should be going out using there natted ip address's.

Patrick

Fernando_Meza
Level 7
Level 7

there must be a mistake on your configs. The static NAT always takes precedence over your nat - global instruction. meaning that any traffic going out from your NATes servers should use its static global address and not the one been configured for PAT. please send the configs

Yeah I also believe that something is definately not correct here, actually i inherited this setup from the last admin, who had left without a clue.. anyways. attachment is here.

mmm.. I see what is happening here. It seems NAT policy on those static statements are causing this issue .. you should not have any problem with host 172.20.4.208 though ... nothing wrong with the configuration but it is just the way NAT works. I suggest using a one to one NAT static instead of policy NAT i.e

static (inside,outside) 213.130.119.60 172.20.4.162 netmask 255.255.255.255

You can the configure your ACL applied to the outside interface to only allow pop3 and smtp to 213.130.119.60

Thanks i believe i got the picture but could you be more Elaborative as what needs to be done. i dont want to do without being sure what would be the effect.

secondly, you are talking about policy NAT ????

oops sorry ..

1.- add

access-list acl_out permit tcp any host 213.130.119.60 eq pop3

2.- Remove

no static (inside,outside) tcp 213.130.119.60 pop3 172.20.4.162 pop3 netmask 255.255.255.255

no static (inside,outside) tcp 213.130.119.60 smtp 172.20.4.162 smtp netmask 255.255.255.255

clear xlate

3.- Add

static (inside,outside) 213.130.119.60 172.20.4.162 netmask 255.255.255.255

clear xlate

Test and then save the config.

NOTE: The change shoudl be transparent .. but if you are not very confident then do it after hours.

The clear xlate will break all current sessions, so you would see a quick outage.

Thanks guys, it worked

great ... don't forget to score and resolve the issue ..

Cheers,

Review Cisco Networking for a $25 gift card