Solved

Static NAT PIX

Posted on 2006-06-08
5
562 Views
Last Modified: 2010-04-09
I need to do a static NAT for public ip to a private ip on my network.  The firewall wan is 56.1.1.1 and i have an additional 56.1.1.2.  Private ip = 192.168.1.1.

I need to do PAT for the outside interface so that certain port request on 56.1.1.1 are PATed back to different devices on the inside and also have 56.1.1.2 translate to 192.168.1.1 on a one to one basis.

Can someone provided a sample including access-list please?
0
Comment
Question by:andreacadia
  • 2
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 500 total points
ID: 16866974

1) For  PAT, you need the following:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

These two commands will allow any host on the internal network that doesn't have a static one is to one natting to use the firewall's WAN IP if they need to go to anywhere outside the network. By default, all outbound traffic is allowed so you don't need to add access-list to allow traffic originating from the inside network back in.

2) For the static one is to one, you need:

static (inside, outside) 56.1.1.2 192.168.1.1 netmask 255.255.255.255
access-list acl_out permit tcp any host 56.1.1.2 eq 25
access-list acl_out permit udp any host 56.1.1.2 eq domain
access-list acl_out permit tcp any host 56.1.1.2 eq www
access-group acl_out in interface outside

The 1st command above statically assigns 56.1.1.2 to 192.168.1.1. The next three are access-rules that allows users from the internet to connect to 56.1.1.2 on port 25, 53 and 80. You will need to modify the rule to suit your needs, the syntax would be the same. The last command applies the access-rule acl_out to the outside interface. You need to apply the access-rules on an interface for it to take effect on this case.
0
 

Author Comment

by:andreacadia
ID: 16867015
how about if i just did this:

access-list acl_out permit ip any host 65.113.90.25

??
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16867107
That's fine, however it is not recommended. By doing that, you are opening all ports to the internet on that host.
0
 

Author Comment

by:andreacadia
ID: 16867171
now does this necessarily mean that all traffic will exit sourced as the natted public ip in this case?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16869686
If you have a static 1-1 nat then yes, that host will exit sourced as the natted public.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now