10-23-2001 07:23 AM - edited 03-08-2019 08:55 PM
Will this static config work based on the defined global & nat command?
global (outside) 1 169.139.1.20-169.139.1.20 netmask 255.255.0.0
global (ssn) 1 169.139.254.101-169.139.254.101 netmask 255.255.0.0
nat (inside) 1 10.0.0.0 255.0.0.0 16384 11468
nat (ssn) 1 169.139.254.0 255.255.255.0 16384 11468
!
static (ssn,outside) 169.139.1.174 169.139.254.174 netmask 255.255.255.255 0 0
10-23-2001 01:23 PM
By using addresses within the same range (both in 169.139.0.0/16) you created a conflict. Could you state which addresses (and mask) you are using your each network?
10-24-2001 06:05 AM
Can this conflict be resolved by creating two seperate nat id ?
Also, those global addresses are my public and they all are 16 bit masks.
10-24-2001 07:28 AM
I'm sure the whole /16 isn't in front on the PIX in one lump.
A basic config could be:
- SSN is A.B.C.1/24
- Outside is Z.Y.X.1/28
Then the PAT rules could be:
nat (inside) 1 0 0
global (outside) 1 interface
global (ssn) 1 interface
This is assuming that the basic security policy is:
- inside to SSN allow, hide behind PAT
- inside to outside allow, hide behind PAT
Are there any other connections required?
10-24-2001 08:41 AM
The concept is to hide ssn(dmz) and have their addresses 169.139.254.0/24 translated to an outside address. Likewise to have internal 10.0.0.0 be translated to an outside address.
also, to use specific stactic commands to to map individual hosts on the DMZ with a known public address.
I know that the /16 is a lot, but that's what the client has. I will investigate this part with the client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide