Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
888
Views
0
Helpful
5
Replies

PIX Static, NAT & NONAT

licenties
Community Member

‎07-25-2003 03:42 AM - edited ‎02-20-2020 10:52 PM

I have a problem.

I have 8 ip addresses on the outside of my PIX.

I want to use the first ip address for the global statement and the 2nd for a static translation.

I want all computers to use the global address but my server should use only the 2nd ip address.

hope you can help me

0 Helpful
5 Replies 5

jmia
Level 11
Level 11

‎07-25-2003 03:50 AM

Here's a document that might be useful to your needs:

>http://www.cisco.com/warp/public/707/28.html

Hope this helps --

0 Helpful

licenties
Community Member
In response to jmia

‎07-25-2003 04:24 AM

Thanks but this paper tells me how to use statics but the static translation is not the problem. The problem is that the server connects a l2tp tunnel.

So the server has to listen and speak with the same ip address.

Bas

0 Helpful

l.mourits
Level 9
Level 9

‎07-25-2003 05:40 AM

Here's what you should do:

nat (inside) 0 access-list nonat

nat (inside) 1

global (outside) 1 255.255.255.255

static (inside, outside) netmask 255.255.255.255

access-list nonat deny ip host any

access-list nonat permit ip any any

And ofcourse your normal access-list bound to the outside interface for the permitted protocols to your server, but I guess you have that allready.

The trick here is, as you can see, to put the normally used nat and global command on it, and also the normally used static command, but, in addition to that, you have to prevent the returning traffic from your server from being natted by the nat and global commands. That is where the nat 0 with access-list nonat kicks in, this will prevent returning traffic from being dynamicly translated (nat 0 is no translations), but since there is also a static translation in place translation does occure since there is an entrie in the xlate table for every static used.

This will do the trick. I hope this makes sence to you. Otherwise do not hesitate to ask :-)))

Kind Regards,

Leo

0 Helpful

licenties
Community Member
In response to l.mourits

‎07-26-2003 01:34 AM

Thank's for the reply.

I've got one question, I allready have a nonat statement in the cconfig. It's for the vpn users.

## nat (inside) 0 access-list vpnusers

## access-list vpnusers permit ip .........

I called the access-list vpnusers. then I use ## access-list vpnusers deny ip host any ??

With Regards,

Bas

0 Helpful

jmia
Level 11
Level 11
In response to licenties

‎07-26-2003 03:29 AM

Hi Bas -

Change ACL 'vpnusers' to permit, i.e.

> access-list vpnusers permit ip host any

Basically, with the 'no nat' cmd you are saying NOT to NAT the access-list vpnusers and using the ACL vpnusers you are permiting the traffic for the vpn tunnel, which will not be nat'd.

Hope this helps --

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card