Hi,
Here is what I am trying to accomplish:
Any inside users going out should be dynamically translated to 192.168.2.2-200.
But for one host, 172.16.1.1, I want that to be xlated into 192.168.2.1 all the time.
I have a sample confi below. I think I do have problem with in2out4static rule because traffic initiated by 172.16.1.1 could use in2out acess list instead of in2out4static.
Are there any access-list priority?
I think access-list in PIX/ASA behave different from routers: the order of the statement doesn't matter. (I may be wrong though.)
Could somebody please help me out?
PIX Version 7.1(2)
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 172.16.1.254 255.255.255.0
!
interface Ethernet2
nameif outside
security-level 10
ip address 192.168.1.254 255.255.255.0
!
access-list in2out extended permit ip any 10.1.1.0 255.255.255.0
access-list in2out4static extended permit ip host 172.16.1.1 10.1.1.0 255.255.255.0
access-list out2in extended permit tcp any host 192.168.2.1 eq 80
!
global (outside) 2 192.168.2.2-192.168.2.200 netmask 255.255.255.0
global (outside) 3 192.168.2.1
nat (inside) 2 access-list in2out
nat (inside) 3 access-list in2out4static
!
static (inside,outside) 192.168.2.1 172.16.1.1 netmask 255.255.255.255
access-group out2in in interface outside
route networkmd 10.1.1.0 255.255.255.0 192.168.1.253