Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
2
Helpful
6
Replies

Can the pat and static command can use toghter?

wanglei
Level 1
Level 1

‎10-12-2005 12:49 AM - edited ‎03-09-2019 12:42 PM

i have a pix525

there is only one public ip i can use.

I need do pat for internal use go web.

I also want static map to the ip for outside user can access our web.

but when i config two toghter.internal user can't access internet.

how can i do to make two thing worked used one public ip .

any help will be preciated.

Labels:
0 Helpful
6 Replies 6

rpathani
Level 1
Level 1

‎10-12-2005 02:31 AM

Hi,

Here are wo different static statements:

1) static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255

2) static (inside,outside) tcp interface 80 y.y.y.y 80 netmask 255.255.255.255

Here, x.x.x.x = Your public (pix outside interface) ip address.

y.y.y.y = Private ip address of your webserver.

The "interface" keyword refers to outside interface ip address of your pix.

I'm sure you would be using the first one in the above example. If you use the first one, you make a one-to-one translation for your public and private ip address letting pix to know that the public ip address is always associated with this private ip address.

If you use the second statement as mentioned in the above example (also called as port forwarding) would resolve the issue and achieve your goal.

Reason: Port forwarding works only for inbound traffic and rest outbound traffic use nat and global combination to go out to internet.

Rahul Pathania

rpathani@cisco.com

jackko
Level 7
Level 7

‎10-12-2005 03:41 AM

the main point is that there is only one public ip, so port forwarding is the way to go.

e.g.

static (inside,outside) tcp 80 80 netmask 255.255.255.255 0 0

access-list 100 permit tcp any host eq 80

access-group 100 in interface outside

at the same time, apply the followings for interal user accessing the internet:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

all these commands, including static, acl, global, and nat will work together.

0 Helpful

wanglei
Level 1
Level 1
In response to jackko

‎10-12-2005 05:18 PM

i'm very glad to see the reply

i'm from china,my english not very well,it's surprise you can totally understand me.thank you rpathani and jackko .

i just use this command

static (inside,outside) netmask 255.255.255.255 0 0

i will use the port translate to test.

0 Helpful

redray8
Level 1
Level 1
In response to wanglei

‎10-12-2005 11:20 PM

jakko basically had it correct, but to cover all your bases completely, you may be better off usinger the interface keyword for all your NATw/PAT commands.

global (outside) 1 interface

nat (inside) 0 0

access-list acl_outside permit tcp any interface outside eq 80

static (inside,outside) tcp interface 80 80 netmask 255.255.255.255 0 0

access-group acl_outside in interface outside

this will ensure that if you are using either ip address outside dhcp or ip address pppoe (without static IPs) you will not run into any problems down the road.

0 Helpful

grags
Level 1
Level 1
In response to redray8

‎10-24-2005 09:22 AM

Can someone help me do the same thing but on IOS, not PIX?

Thanks,

0 Helpful

jackko
Level 7
Level 7
In response to grags

‎10-24-2005 03:01 PM

ip nat inside source static tcp extendable

e.g. for mail server,

ip nat inside source static tcp 203.1.1.1 25 192.168.1.1 25 extendable

0 Helpful
Customers Also Viewed These Support Documents