04-25-2003 05:45 AM - edited 03-09-2019 03:02 AM
Please find my nat and global commands below. I want to translate the IP 204.142.253.55 / 24 (vik) to 190.231.232.135 / 27 (one of the ISP assigned public addresse)
Pix-Admin1(config)# sh global
global (outside) 1 192.231.232.135 netmask 255.255.255.224
name 204.142.253.55 vik
Pix-Admin1(config)# sh nat
nat (inside) 1 vik 255.255.255.255 0 0
nat (inside) 0 192.231.232.0 255.255.255.128 0 0
nat (inside) 0 192.168.254.0 255.255.255.0 0 0
nat (inside) 0 198.138.22.0 255.255.255.0 0 0
nat (inside) 0 204.142.80.0 255.255.255.0 0 0
nat (inside) 0 204.142.81.0 255.255.255.0 0 0
nat (inside) 0 204.142.89.0 255.255.255.0 0 0
nat (inside) 0 204.142.253.0 255.255.255.0 0 0
nat (inside) 0 204.142.254.0 255.255.255.0 0 0
nat (inside) 0 10.0.0.0 255.0.0.0 0 0
nat (inside) 0 192.0.0.0 255.0.0.0 0 0
nat (inside) 0 204.0.0.0 255.0.0.0 0 0
nat (dmz:2) 0 0.0.0.0 0.0.0.0 0 0
I did a clear xlate and then
Pix-Admin1(config)# sh xlate
Global 192.231.232.136 Local vik
!Rest deleted.
Why is 'vik' being translated as 192.231.232.136 and not 192.231.232.135???
04-25-2003 06:58 AM
My pix 515 uses a "static" command for this. It might look as such:
static (inside,outside) 190.231.232.135 204.142.253.55 netmask 255.255.255.255 0 0
You will also use an ACL to allow outside traffic to connect over specific ports etc.
04-25-2003 07:10 AM
But, wont static allow inbound connections to the machine 204.142.253.55.
All I want is that whenever 204.142.253.55 goes to internet, it should take the address 192.231.232.135. I am new to pix, please correct me if I am wrong.
The machine you are using static for can be accessed from outside or not and unde what scenario can one use nat and global?
04-28-2003 07:58 AM
Unless you add an acl allowing access to the inside host, outside hosts cannot access it.
05-02-2003 06:03 AM
Looking at a specific part of your configuration:
global (outside) 1 192.231.232.135 netmask 255.255.255.224
name 204.142.253.55 vik
nat (inside) 1 vik 255.255.255.255 0 0
nat (inside) 0 204.142.253.0 255.255.255.0 0 0
Take a closer look at this one:
nat (inside) 0 204.142.253.0 255.255.255.0 0 0
the adres you try to translate with nat 1 and global 1 statements is in the same subnet. So, better thing to do would be:
nat (inside) 0 access-list nonat
access-list nonat deny ip host 204.142.253.55 any
access-list nonat permit ip 204.142.253.0 255.255.255.0 any
of course this is just one way to do it.....
I think you have other global and nat statements on your pix which gives the translation to the adres 192.231.232.136
Hope this helps
Leo Mourits
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide