Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
3
Replies

Static NAT issue

james.e.mcwilliams
Level 1
Level 1

‎10-23-2003 09:17 AM - edited ‎03-09-2019 05:15 AM

I have just installed my first FWSM at one of your internet pops. Pretty simple only inside and outside no dmz (all listed below). I had to put a static address translation so the internet router could talk back into the internal syslog and tacacs servers on the internal network (10.233.85.254 / 172.21.85.254) which works fine for the connections allowed inbound from the internet router. But when I try to access the internet from those two devices its not being routed because the pix is using the static address (10.233.85.254 / 172.21.85.254) to the internet router and it is not being routed after that. I know I can do an address translation to another one of my 162.119.0.0 address and this will work but I am trying to get around this because I have another Internet POP soon to change from Firewall-1 to PIX that will literally have 100(s) of these static address translations.

<------------------------snip---------------------->

global (outside) 1 162.119.64.110 netmask 255.255.255.0

global (outside) 2 162.119.64.111 netmask 255.255.255.0

global (outside) 3 162.119.64.112 netmask 255.255.255.0

global (outside) 4 162.119.64.113 netmask 255.255.255.0

global (outside) 5 162.119.64.114 netmask 255.255.255.0

global (outside) 6 162.119.64.115 netmask 255.255.255.0

global (outside) 7 162.119.64.116 netmask 255.255.255.0

global (outside) 8 162.119.64.117 netmask 255.255.255.0

global (outside) 9 162.119.64.100 netmask 255.255.255.0

nat (inside) 1 10.224.0.0 255.248.0.0 0 0

nat (inside) 2 10.232.0.0 255.248.0.0 0 0

nat (inside) 3 10.240.0.0 255.248.0.0 0 0

nat (inside) 4 10.248.0.0 255.248.0.0 0 0

nat (inside) 5 10.32.0.0 255.224.0.0 0 0

nat (inside) 6 10.64.0.0 255.224.0.0 0 0

nat (inside) 7 10.96.0.0 255.240.0.0 0 0

nat (inside) 8 10.112.0.0 255.248.0.0 0 0

nat (inside) 9 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 172.21.85.254 172.21.85.254 netmask 255.255.255.255 100 100

static (inside,outside) 10.233.85.254 10.233.85.254 netmask 255.255.255.255 100 100

<------------------------snip---------------------->

Thanks for any help.

Labels:
0 Helpful
3 Replies 3

nkhawaja
Cisco Employee
Cisco Employee

‎10-23-2003 01:33 PM

Hi,

For routing to the inetnet a public address is must. Either do translation on the FWSM or on the edge router.

You can try to make NAT0 work here

e.g. access-list 101 permit ip

nat (inside) 0 access-list 101

So it will be a translation only between the TWO IPs.

If the inside server wants to go to internet, it will be using NAT/Global

Thanks

Nadeem

0 Helpful

james.e.mcwilliams
Level 1
Level 1
In response to nkhawaja

‎10-23-2003 02:30 PM

Nadeem thank you for the reply. But if the Edge router has to talk back to the inside server (say for AAA) won't I need a static for that translation? Then the static will over ride the global translation for the internal server out to the internet. I will give your recommendation a try to see how it works thanks.

Eric

sends

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee
In response to james.e.mcwilliams

‎10-24-2003 03:41 PM

so here is the deal. Either make static conditional or make nat conditional. IF you have checked this url for policy NAT, it should work for your scenario.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601

Thanks

Nadeem

0 Helpful
Customers Also Viewed These Support Documents