Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

CISCO PIX PAT and NAT

Status
Not open for further replies.
tiredadmin

tiredadmin

MIS
Apr 27, 2007
2
US
New to Cisco PIX. PIX is currently configured to PAT all internal addresses to single public.

From config:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

I need to NAT a single specific internal address to a specific outside address. Basically an exception for one system. I have done a lot of searching and reading but cannot find a clear example of this. Any help would be appreciated.
 
Sort by date Sort by votes
The only way you can do this is implement access lists on the NAT statements..

Unfortunately you cannot do an access-list with deny statement for that particular IP and then do a permit any any for the remaining..

Once you setup the ACL, you apply it to the NAT statments.. To match the particular IP to an outside IP, you need to create a new NAT process..


BuckWeet
 
Upvote 0 Downvote
Try a static -
static (inside,outside) ext.ern.al.ip int.ern.al.ip netmask 255.255.255.255
Statics override nat/global statements and it creates a permanent one-to-one mapping.

You can also do policy nat as buckweet suggested. The policy nat statements (nat with an ACL) also take precedence.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Thanks Buckwheat and Brent,
Brent, I think the static is what I was looking for but I am confused about the syntax and here is why. In my config (inherited) I have several working static statements already that do NATs for external to internal addresses.

static (inside,outside) xx.xxx.xxx.xxx 192.168.21.138 netmask 255.255.255.255 0 0

Am I to understand that the syntax is the same for outgoing connections? I guess I am surprised the statement or addresses are not flipped around.
 
Upvote 0 Downvote
When you have it so that you are using ports in the statement it behaves differently, but when it is only the IP I believe it just ties the two together - inbound and outbound. It is how a TAC fixed a reverse DNS lookup error on a client's mail server who had port mapping only and we changed it to a full static and all of a sudden it worked without changing the DNS MX record.
Let me know how it works out.
To test - put in the full static and do an IP lookup on a website from the internal box and see what it reports.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Shouldn't there be an actual access-list, something like:

access-list acl permit tcp host x.x.x.x host x.x.x.x eq xx
access-group acl in interface outside

then

nat (inside) 2 access-list acl

I'm not sure if there are any access lists in his config, nor is there interface that it is applied to.

I could be wrong....
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
985
intel233
intel233
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
627
MottoK
MottoK
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
842
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
455
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top