Sounds like policy NAT, please see if this is what you want to accomplish:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml#usingnat

HTH

Steve

Hi;

Thanks for your response; however, as far as I understand, with policy nat I can control the source IP address (traveling from inside to outside).

What I need is to NAT both destination IP/port, and at the same time, change the source ip, like with policy NAT. Something like mixing policy NAT and static command, but at the same time.

It's difficult to explain what I'm trying to acomplish; the client will connect to a virtual address/port, that must be changed by the pix to another address/port, and the server where the client is trying to connect must see as the source address another one, different from the original client.

Best regards,

Francisco.

Then I believe Mustafa was correct--you want to use the Alias command. The link he sent is a good one, here's the link from the PIX commands that shows another variant:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1083304

To get an even better understanding, IOS has a great instruction on using/setting up NAT in overlapping networks:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f30.shtml

If we're not correct, then please post (with examples) what you're trying to accomplish.

HTH

Steve

I'm sure you are correct, since this is my 1st pix configuration, however I still doesn't understand how to do it with PIX (I've managed to do it with IOS, with some limitations, but that's for another thread). This is what I'm trying to accomplish:

HOST A -----> PIX -----> HOST B

Host A=192.168.1.1

PIX: 192.168.1.254 , 172.16.1.254

Host B=172.16.1.1

Host A makes a connection to 192.168.1.254, port 80.

Host B is listening on port 90, and must get that connection. However, host B must see the connection is sourced from 172.16.1.254 (assume host B doesn't have any routes).

Do you see any way to obtain this behaivour?

Best regards,

Francisco.

ok, here is the command provided host A in on Inside..

static (outside,inside) tcp 192.168.1.254 80 172.16.1.254 90 netmask 255.255.255.255 outside

if HostB wants to initiate the connection..

static (inside,outside) 172.16.1.2 192.168.1.1 netmask 255.255.255.255

hope that helps..

The first command will do the destination nat to the required address and port, but will not change the origin IP address to the one of the outside interface, I assume. I've tried the command, but the last argument (outside) is not supported, the syntax that appears on help is:

static (dmz1,inside) tcp 192.168.1.254 80 172.17.1.10 90 netmask 255.255.255.255 dmz1

number of maximum connections should lie between 0 and 65535

Usage: [no] static [(real_ifc, mapped_ifc)]

{|interface}

{ [netmask ]} | {access-list }

[dns] [norandomseq] [ []]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{|interface}

{ [netmask ]} |

{access-list }

[dns] [norandomseq] [ []]

Tried and running, thanks a lot. Now I begin to understand how does the PIX works.

Best regads,

Francisco.