Static translation for an inside IP

smallrain_2 · ‎06-13-2007

Hi,

Here is what I am trying to accomplish:

Any inside users going out should be dynamically translated to 192.168.2.2-200.

But for one host, 172.16.1.1, I want that to be xlated into 192.168.2.1 all the time.

I have a sample confi below. I think I do have problem with in2out4static rule because traffic initiated by 172.16.1.1 could use in2out acess list instead of in2out4static.

Are there any access-list priority?

I think access-list in PIX/ASA behave different from routers: the order of the statement doesn't matter. (I may be wrong though.)

Could somebody please help me out?

PIX Version 7.1(2)

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 172.16.1.254 255.255.255.0

!

interface Ethernet2

nameif outside

security-level 10

ip address 192.168.1.254 255.255.255.0

!

access-list in2out extended permit ip any 10.1.1.0 255.255.255.0

access-list in2out4static extended permit ip host 172.16.1.1 10.1.1.0 255.255.255.0

access-list out2in extended permit tcp any host 192.168.2.1 eq 80

!

global (outside) 2 192.168.2.2-192.168.2.200 netmask 255.255.255.0

global (outside) 3 192.168.2.1

nat (inside) 2 access-list in2out

nat (inside) 3 access-list in2out4static

!

static (inside,outside) 192.168.2.1 172.16.1.1 netmask 255.255.255.255

access-group out2in in interface outside

route networkmd 10.1.1.0 255.255.255.0 192.168.1.253

acomiskey · ‎06-13-2007

You're looking for the nat order of operations...

1. nat 0 access-list

2. static NAT

3. static PAT

4. policy NAT

5. regular NAT

172.16.1.1. will be 192.168.2.1 going out because of the static.

You could do this to the in2out acl as well.

access-list in2out extended deny ip host 172.16.1.1 10.1.1.0 255.255.255.0

access-list in2out extended permit ip any 10.1.1.0 255.255.255.0