public static nat/global vs

Excluding an access list, what is the difference between:

NAT (inside) 1 172.16.5.10 net 255.255.255.255

192.168.5.10 (outside) 1 global net 255.255.255.255

and

static (inside, outside) 1 192.168.5.10 172.16.5.10 net 255.255.255.255

Thank you.

in static reality must be combined with the access list for a two-way communication... You are right in a sense that

public static nat/global access-list =

Basically, the rule is that the traffic is allowed more high to low infterface of default security

BUT

from the lowest to the highest security of communication you need an access as well as the STATIC list

Thank you

Nadeem

Tags: Cisco Security

Similar Questions

Public static NAT vs. Access-List

Hello

I have a question what is the best practice static NAT and access list. Example:

Server (192.168.1.1) Web inside to outside (10.10.10.10) with the port 80 and 443.

IP nat inside source static tcp 192.168.1.1 80 10.10.10.10 80

IP nat inside source static tcp 192.168.1.1 10.10.10.10 443 443

Or

IP nat inside source static 192.168.1.1 10.10.10.10

Access-list 101 permit tcp any host 10.10.10.10 eq 80

Access-list 101 permit tcp any host 10.10.10.10 eq 443

interface ethernet0
IP access-group 101 in

Thank you

The operational reasons - it will break things.

Public static PAT in Nat/Global conflicts

I seem to have a problem because of a conflict between the static PAT and nat/global pool.

I have a config with the following static and ACL. (192.169.10.2 and 192.168.10.3 are two address on the same adapter on the same server)

static (dmz, outside) tcp 212.xx.xx.4 www 192.168.10.2 5080 netmask 255.255.255.255 0 0

static (dmz, external) 212.xx.xx.5 192.168.10.3 netmask 255.255.255.255 0 0

line 100 access list 7 permit tcp any host 212.xx.xx.4 eq www

100-list access line 8 permit tcp any host

212.XX.XX.5 eq ftp

line 9 of the access list 100 permit tcp any host 212.xx.xx.5 eq ftp - data

With this new configuration when I issued the "cl" xlate I outwardly use the site and the FTP site.

However, as soon as the (192.6.12.2/3) server to connect to the internet the static PAT stops working:

static (dmz, outside) tcp 212.xx.xx.4 www 192.168.10.2 5080 netmask 255.255.255.255 0 0

It is interesting the individual static (ftp) continues to work:

If I do a "show xlate" he mentions a 'Global 212.xx.xx.22 192.168.10.2 Local. " That's probably why it does not work as it comes to take an address from the global pool and is no longer uses 212.xx.xx.4. I don't know why this conflict happens? Any help much appreciated.

Dan

Hello Dan,

Please mark this case as resolved, so that it might help others. response rate (s) If you found it useful.

Thank you

Public static political static NAT in conflict with NAT VPN

I have a situation where I need to create a VPN site-to site between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises where the LAN behind the Cisco ASA has the same subnet an existing VPN currently created on the Sonicwall. Since the Sonicwall cannot have two VPN both run on the same subnet, the solution is to use policy NAT on the SAA as well as for the Sonicwall, the new VPN seems to have a different subnet.

The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a private network virtual created for another customer with the same subnet). I try to translate it to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The ASA relevant configuration is:

interface Vlan1

IP 192.168.10.1 255.255.255.0

access extensive list ip 192.168.24.0 outside_1_cryptomap allow 255.255.255.0 10.159.0.0 255.255.255.0

list of access VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0

public static 192.168.24.0 (inside, outside) - list of VPN access

card crypto outside_map 1 match address outside_1_cryptomap

In addition, there are other static NAT instructions and their associated ACLs that allow certain traffic through the firewall on the server, for example:

public static tcp (indoor, outdoor) interface smtp SERVER smtp netmask 255.255.255.255

The problem is this: when I enter the static strategy statement NAT, I get the message ' WARNING: real-address conflict with existing static "and then it refers to each of the static NAT statements reflecting the external address to the server. I've thought about it, and it seemed to me that the problem was that policy NAT statement must be the first statement of NAT (it is the last one) so that it is run first and all traffic destined to the VPN to the Sonicwall (destination 10.159.0.0/24) tunnel would be properly treated. If I left him as the last statement, then the other static NAT statements would prevent a part of the 10.159.0.0/24 network-bound traffic to be correctly routed through the VPN.

So, I tried first to my stated policy NAT upward in the ASDM GUI interface. However, moving the declaration was not allowed. Then I tried to delete the five static NAT statements that point to the server (an example is above) and then recreate them, hoping that would then move up the policy statement NAT. This also failed.

What Miss me?

Hello

I assumed that we could have changed the order of the 'static' , the original orders, but as it did not work for some reason any then it seems to me that you suggested or change, that I proposed should work.

I guess that your purpose was to set up static political PAT for the VPN for some these services, then static PAT of public network access, then static NAT to policy for the rest of the network in-house.

I guess you could choose any way seems best for you.

Let me know if get you it working. I always find it strange that the original configuration did not work.

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary

-Jouni

Apart from the demilitarized zone or static NAT?

Hello!

I'm trying to implement the static translation from outside my network in DMZ. I tried with nat, global and static use but failed with both. The problem is that packets are go to the servers in the DMZ but nothing is returned to the sender. Also, when I try to access a Web server in DMZ I get SYN timeout.

The traffic of my LAN (inside) local DMZ works as it should however.

-Important conf--->

access-list ON scope allowed any ip a

Global interface (dmz) 12

NAT (outside) - 12 OUT out access list

Access-group OUT in the interface outside

no nat control

-more than information--->

Interior - the security of IP 10.0.13.1 level 100

DMZ - security level 50, IP 172.16.13.1

outer - level 0, the security of IP 192.168.13.2

Bastionhost = Web server

-See the nat--->

Policy NAT outside interface:

match any ip outside any demilitarized zone

dynamic translation to the pool of 12 (172.16.13.1 [Interface PAT])

translate_hits = 2, untranslate_hits = 0

When I used static instead of nat, overall I had so many untranslate_hits I sent to servers in DMZ.

-Debug--->

Built dynamic TCP translation of outside:192.168.13.5/1316 to dmz (OUT): 172.16.13.1 / 1028

Built of 469 for incoming TCP connections to dmz:bastionhost (172.16.13.1/1028) outside:192.168.13.5/1316 / (bastionhost/80) 80

Disassembly of the TCP dynamic translation of outside:192.168.13.5/1317 to dmz (OUT): 172.16.13.1 / 1029 0 duration: 00:39

Disassembly TCP 473 for outside:192.168.13.5/1318 to dmz:bastionhost connection / 80 0 duration: 00:30 bytes 0 SYN Timeout

Thank you.

Your following config is fine, your bastionhost here with a public IP address of mapping that will allow the access server to the internet as well.

allowed any icmp extended WEB access list a--> add this option to test accessibility outside bastionhost / internet and remove it later.

IP any host 192.168.14.5-> or add 'eq www' to specify the port allow Access - list extended WEB.

static (dmz, outside) tcp 192.168.14.5 www bastionhost www netmask 255.255.255.255

group-access WEB interface outside

You can omit the next part that meant allowing internet access only, bastionhost not allowing users to access.

Global 1 192.168.14.5 (outside)

NAT (dmz) 1 bastionhost 255.255.255.255

BTW, what is the State of the road looks like?

Static NAT problem with PIX501

Hi all

We have problems with our PIX firewall. We have configured PIX 501 with static NAT for our Web server. Here's the running configuration.

6.3 (4) version PIX

interface ethernet0 car

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

pixfirewall hostname

domain ciscopix.com

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

access-list 101 permit tcp any host x.x.x.26 eq www

access-list 101 permit tcp any host x.x.x.26 EQ field

access-list 101 permit udp any host x.x.x.26 EQ field

pager lines 24

Outside 1500 MTU

Within 1500 MTU

IP address outside x.x.x.28 255.255.255.248

IP address inside 192.168.90.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

location of PDM 192.168.90.0 255.255.255.0 inside

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside, outside) x.x.x.26 192.168.90.3 netmask 255.255.255.255 0 0

Access-group 101 in external interface

Route outside 0.0.0.0 0.0.0.0 x.x.x.25 1

Route inside 192.168.1.0 255.255.255.0 192.168.90.2 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server local LOCAL Protocol

Enable http server

http 192.168.90.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Telnet timeout 5

SSH timeout 5

Console timeout 0

Terminal width 80

: end

the problem is the configuration, we are unable to access the web server both inside and outside the network.

All input will be greatly appreciated.

Kind regards

udimpas

activate icmp backtrace and then ping the x.x.x.26 of the internet. the output should be as below:

3363574:-out ICMP echo request: ID = 21834 seq = 1202 length = 80

3363575: ICMP echo request: external untranslating: inside: 192.168.90.3

3363576: ICMP echo-reply from the inside: 192.168.90.3 ID = 21834 seq = 1202 length = 80

3363577: response to ICMP echo -: translate inside: 192.168.90.3 out:

by doing this, you can 1. Check the nat 2. If the server responds to the internet.

do not forget to allow incoming icmp:

access-l 101 permit icmp any one

Static NAT to 10.140.2.0 to 10.240.2.0 via VPN

I need help to set up a static nat device between oursite and seller

oursite has a subnet 10.140.2.0/24 the provider uses for something else. They asked that we nat 10.140.2.0/24 to 10.240.2.0/24 via the VPN, so they will see the 10.140 10.240? any help is appreciated. I think that map crypo acl must be standing as well, we run version 8.2

LOCAL SITE - ASA - TUNEL VPN - ASA - SITE PROVIDER

Thanks in advance

Hello Bbftijari,

In this case, according to the ASA version, but you will need to configure, this way:

Pre - 8.3

1. create groups of objects for use in the ACL,

the LOCAL_SITE object-group network
object-network 10.140.2.0 255.255.255.0

the Vendor_SITE object-group network
network-object XXXXXX XXXXXX

2. create ACLs, as a condition,

access-list VPN_NAT permitted object-group LOCAL_SITE object group ip Vendor_SITE

3 create the static NAT, call the ACL, so he says "when I come inside outside of LOCAL_SITE to Vendor_SITE, I will result in 10.240.2.0/24.

public static 10.240.2.0 (inside, outside) access-list VPN_NAT netmask 255.255.255.0

--------------------------------------------------------------------------------------------------------------------------------

Post 8.3

1 create the network objects and create a static entry:

the LOCAL_SITE object-group network
object-network 10.140.2.0 255.255.255.0

the NAT_SITE object-group network
object-network 10.240.2.0 255.255.255.0

the Vendor_SITE object-group network
network-object XXXXXX XXXXXX

2. static NAT creation,

NAT (inside, outside) 1 static source LOCAL_SITE NAT_SITE Vendor_SITE Vendor_SITE non-proxy-arp-search of route static destination

Test and keep me posted.

Please note and mark it as the correct answer if it helped you.

David Castro,

Static Nat issue unable to resolve everything tried.

Hello

I have a cisco asa 5515 with asa worm 9.4.1 and asdm 7.4

I have problem with configuring static nat, I have a server inside which ip is 172.16.1.85 and

my external interface is configured with a static ip address.

Internet works fine but cannot configure static nat...

Here's my config running if please check and let me know what Miss me...

Thank you

ASA release 9.4 (1)
!
ciscoasa hostname

names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
IP 151.253.97.182 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
boot system Disk0: / asa941-smp - k8.bin
passive FTP mode
object remote desktop service
source eq 3389 destination eq 3389 tcp service
Description remote desktop
network of the RDP_SERVER object
Home 172.16.1.85
outside_access_in list extended access allow desktop remotely any4 object RDP_SERVER
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
no failover
no monitor-service-interface module of
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 743.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
!
network of the RDP_SERVER object
NAT (inside, outside) interface static service tcp 3389 3389
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 151.253.97.177 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
identity of the user by default-domain LOCAL
Enable http server
http server idle-timeout 50
http 192.168.1.0 255.255.255.0 management

Telnet 192.168.1.0 255.255.255.0 management
Telnet timeout 5
SSH stricthostkeycheck
SSH 192.168.1.0 255.255.255.0 management
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
VPDN username bricks12 password * local store
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
dynamic-access-policy-registration DfltAccessPolicy
username, password imran guVrfhrJftPA/rQZ encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call

ciscoasa #.

Hello

Change this ACL: -.

outside_access_in list extended access allow desktop remotely any4 object RDP_SERVER

TO

outside_access_in list extended access allowed object RDP_SERVER eq any4 tcp 3389

Thank you and best regards,

Maryse Amrodia

Static objects / global or Code

Greetings

I have looked at a few and noticed that another instance of the application can be run - for example, at startup or through a context menu.

In a normal desktop application, the application is displayed in its own space program and identical static variables would be not accessible from each of the other programs.

For example, if I had

public static boolean myStaticVar;

Each separate instance of my application would then have its own variable, and the variable within a single instance of the application would not affect the value of the other instance of the application.

Is it the same for Blackberry apps or are global static variables for multiple instances of the application.

Thank you

No, static global variables are accessible to the current instance of the application. My application uses a different entry point, and I can't even variable access to the instance of the autorun of the instance selection without using persistent or runtime store.

Hope that helps,

~ Dom

Static NAT enable VPN site-to-site.

Hello

We plan to build VPN site to site, but, we have a single public routerable internet IP address to assign VPN on Site A, but Site B is ok.

in this case, I think that we must use static NAT on the router, the simple diagram is as below.

internal a subnet - router VPN - router for Internet of the Site - to - VPN - B B Site internal subnet.

the final goal is to make the communication between internal a subnet and subnet B on IPSEC tunnel.

OK, as I said, Site A having a public IP address, then it must use the static NAT and need to apply on the Site router.

Router

interface x/x

Head of ESCR to the internet

NAT outside IP

!

interface x/x

Head of DESC to internal (VPN)

IP nat inside

!

IP nat inside source static (like IP address x.x.x.x) public (as private VPN interface IP x.x.x.x)

so, wouldn't be work without any problem? I think it will work, but I would find other one just in case.

Hey,.

Is that what you try to achieve:

subnet A - A = vpn router = router B - Sub-B network

and you need communicate between Subnet A and subnet via ipsec vpn b?

Concerning

Static nat and NAT ACL 0

All,

I have nat 0 ACL indicating that an ip address should not be natted, while a static nat statement saying we need natted. I just want to know that we will have precedence.

Thank you

It is of the order of operations PIX nat / ASA.

the NAT 0 acl_name (nameif) has priority.

1 nat 0-list of access (free from nat)

2. match the existing xlates

3. match the static controls

a. static NAT with no access list

b. static PAT with no access list

4. match orders nat

a. nat [id] access-list (first match)

b. nat [id] [address] [mask] (best match)

i. If the ID is 0, create an xlate identity

II. use global pool for dynamic NAT

III. use global dynamic pool for PAT

Static NAT with the road map for excluding the VPN

We have problems of access to certain IPs NATted static via a VPN. After some research, we have learned that you have to exclude traffic destined for the VPN to the static NAT using a road map. So we did this:

10.1.1.x is the VPN IP pool.

access-list 130 refuse ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 allow ip 192.168.1.0 0.0.0.255 any

sheep allowed 10 route map
corresponds to the IP 130

IP nat inside source static 192.168.1.5 1.1.1.1 sheep map route

Above worked to fix the VPN but the IP 192.168.1.5 is no longer publicly available via 1.1.1.1. What seems to happen, is that the static NAT is not really work and this IP address is NATted with the IP of PAT.

Any ideas on how to get this to work?

Thank you
Diego

Hello

The following example details exactly your case:

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

Try to replace the 192.168.1.0 subnet by the host address.

It should work

HTH

Laurent.

Cisco IOS - how config static nat to NAT on the VPN

Hello world

I need help.

I configured a VPN site-to site between two routers IOS. One of the routers already had a static NAT (172.16.100.1 inside to the public IP address), but this static NAT prevents remote VPN hosts access to the 172.16.100.1 home as it tries to the response to public IP NAT router configured.

Does anyone know how to use static NAT for the inside to the outside, but don't not NAT inside to outside VPN traffic?

I know how to make using a roadmap for "overload" dynamic NAT, but I can't? t see how you can use a roadmap on the static NAT statement.

You can provide any help would be appreciated.

Chris

Hi Chris

Take a look at the document atatched with gives a few examples of the very thing you are trying to do.

http://www.Cisco.com/en/us/products/SW/iosswrel/ps1839/products_feature_guide09186a0080087bac.html

HTH

Jon

ASA 5500 and static NAT 1-to-1

We currently have a pair of s ASA 5500 failover providing firewall & nat with inside, outside and the dmz interfaces. We do PAT interface for most of the internal to the external and static connections 1-to-1 NAT for specific hosts that need to accept connections from the outside inside. The space of the static nat is a 27 which includes the address of the external interface. It's that everything is working properly.

However, we are out of space for the static NAT to this/27. I would like to be able to add a different network, probably another 27, for the more static NAT but I'm a hard time to find the best way to do it. Is this possible with a network that does not include the external interface on the ASA?

Here are some of our current NAT config:

Global interface 10 (external)

NAT (inside) 10 0.0.0.0 0.0.0.0

(dmz1, outside) static dmz1-net-net dmz1 netmask 255.255.255.224

static (inside, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

static (inside, dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (inside, outside) xx.yy.164.15 192.168.98.46 netmask 255.255.255.255

static (inside, outside) xx.yy.164.8 192.168.98.47 netmask 255.255.255.255

static (inside, outside) xx.yy.164.14 192.168.98.48 netmask 255.255.255.255

static (inside, outside) xx.yy.164.13 192.168.101.50 netmask 255.255.255.255

Thank you very much...

Hello

The correct syntax for the proxyarp activation will be

No outside sysopt noproxyarp

http://www.Cisco.com/en/us/products/ps6120/products_command_reference_chapter09186a00805fb9e9.html#wp1111405

Cannot ping via the VPN client host when static NAT translations are used

Hello, I have a SRI 3825 configured for Cisco VPN client access.

There are also several hosts on the internal network of the static NAT translations have a services facing outwards.

Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.

For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.

Any help would be appreciated.

Concerning

!

session of crypto consignment

!

crypto ISAKMP policy 10

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group vpnclient

key S3Cu4Ke!

DNS 192.168.1.1 192.168.1.2

domain domain.com

pool dhcppool

ACL 198

Save-password

PFS

netmask 255.255.255.0

!

!

Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac

!

Crypto-map dynamic dynmap 10

86400 seconds, life of security association set

game of transformation-3DES-SECURE

market arriere-route

!

card crypto client cryptomap of authentication list drauthen

card crypto isakmp authorization list drauthor cryptomap

client configuration address card crypto cryptomap answer

map cryptomap 65535-isakmp ipsec crypto dynamic dynmap

!

interface GigabitEthernet0/0

NAT outside IP

IP 1.2.3.4 255.255.255.240

cryptomap card crypto

!

interface GigabitEthernet0/1

IP 192.168.1.254 255.255.255.0

IP nat inside

!

IP local pool dhcppool 192.168.2.50 192.168.2.100

!

Note access-list 198 * Split Tunnel encrypted traffic *.
access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!
Note access-list 199 * NAT0 ACL *.
access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any

!

Sheep allowed 10 route map
corresponds to the IP 199

!
IP nat inside source map route sheep interface GigabitEthernet0/0 overload

!

IP nat inside source static 192.168.1.1 1.2.3.5
IP nat inside source static 192.168.1.2 1.2.3.6

The problem seems to be that static NAT take your nat exemption.

The solution would be:

IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
IP nat inside source static 192.168.1.2 1.2.3.6 sheep map route

HTH

Herbert

public static nat/global vs

Similar Questions

Maybe you are looking for