Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
316
Views
3
Helpful
4
Replies

Static PAT problem

sachin
Level 1
Level 1

‎09-20-2004 04:01 AM - edited ‎03-09-2019 08:49 AM

I have done static PAT i.e.

static (inside,outside) tcp 203.x.y.z www 172.16.3.11 www netmask 255.255.

255.255 0 0

static (inside,outside) tcp 203.x.y.z 7777 172.16.3.12 7777 netmask 255.25

5.255.255 0 0

Now from machine 172.16.3.12 i am not able to access internet. Althogh from outside users are able to reach to that paricular port on public IP 203.x.y.z

I have not enable nat and global statement for 172.16.3.x series.

My question is to access Internet static statements are not suffice.do I need to do NATing ?

Secondly if i start doing NATing then it will be taking some other public IP from global pool while going out of the network , will not be going out with the public IP 203.x.y.z .

Labels:
0 Helpful
4 Replies 4

paddyxdoyle
Level 6
Level 6

‎09-21-2004 02:46 AM

Your statics are NATing your 172.16.3.11 & 12 servers to public addresses for users coming into your network from a lower security level i.e. outside.

You could use dynamic PAT and translate your internal networks to the external address of your PIX firewall when users are going from the inside to the outside.

# nat (inside) 1 172.16.3.0 255.255.255.0

# global (outside) 1 interface

rgds

Paddy

0 Helpful

sachin
Level 1
Level 1
In response to paddyxdoyle

‎09-21-2004 03:26 AM

So you mean to say that firewall will be keeping two enteries in the translation table, one for outside to inside and one for inside to outside.

But my question is why it doesnot go with the same translation entry as defined by static statement ?

If you take static NATing ( i.e one public IP mapped to one private IP only) it goes will that entry only.

0 Helpful

paddyxdoyle
Level 6
Level 6
In response to sachin

‎09-21-2004 04:34 AM

Your static is using the service www.

When you try and open a web page from your server, the source port will be >1023 and the destination will be www.

Your static works from the outside because the destination port of any traffic destined to your web server will be port 80 (www)

You don't need to include the tcp and www bits in your static unless you are doing port translation.

e.g. your clients talk to your web server using http://203.x.y.z:8080 and your PIX translates it to 172.16.3.11:80

Have a look at the static command for a fuller description on the following link:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801cd841.html

Rgds

Paddy

sachin
Level 1
Level 1
In response to paddyxdoyle

‎09-21-2004 11:31 PM

Thanks for the link.I understood the concept.

0 Helpful
Customers Also Viewed These Support Documents