Public static political static NAT in conflict with NAT VPN
I have a situation where I need to create a VPN site-to site between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises where the LAN behind the Cisco ASA has the same subnet an existing VPN currently created on the Sonicwall. Since the Sonicwall cannot have two VPN both run on the same subnet, the solution is to use policy NAT on the SAA as well as for the Sonicwall, the new VPN seems to have a different subnet.
The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a private network virtual created for another customer with the same subnet). I try to translate it to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The ASA relevant configuration is:
interface Vlan1
IP 192.168.10.1 255.255.255.0
access extensive list ip 192.168.24.0 outside_1_cryptomap allow 255.255.255.0 10.159.0.0 255.255.255.0
list of access VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
public static 192.168.24.0 (inside, outside) - list of VPN access
card crypto outside_map 1 match address outside_1_cryptomap
In addition, there are other static NAT instructions and their associated ACLs that allow certain traffic through the firewall on the server, for example:
public static tcp (indoor, outdoor) interface smtp SERVER smtp netmask 255.255.255.255
The problem is this: when I enter the static strategy statement NAT, I get the message ' WARNING: real-address conflict with existing static "and then it refers to each of the static NAT statements reflecting the external address to the server. I've thought about it, and it seemed to me that the problem was that policy NAT statement must be the first statement of NAT (it is the last one) so that it is run first and all traffic destined to the VPN to the Sonicwall (destination 10.159.0.0/24) tunnel would be properly treated. If I left him as the last statement, then the other static NAT statements would prevent a part of the 10.159.0.0/24 network-bound traffic to be correctly routed through the VPN.
So, I tried first to my stated policy NAT upward in the ASDM GUI interface. However, moving the declaration was not allowed. Then I tried to delete the five static NAT statements that point to the server (an example is above) and then recreate them, hoping that would then move up the policy statement NAT. This also failed.
What Miss me?
Hello
I assumed that we could have changed the order of the 'static' , the original orders, but as it did not work for some reason any then it seems to me that you suggested or change, that I proposed should work.
I guess that your purpose was to set up static political PAT for the VPN for some these services, then static PAT of public network access, then static NAT to policy for the rest of the network in-house.
I guess you could choose any way seems best for you.
Let me know if get you it working. I always find it strange that the original configuration did not work.
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
Tags: Cisco Security
Similar Questions
-
public static nat/global vs
Excluding an access list, what is the difference between:
NAT (inside) 1 172.16.5.10 net 255.255.255.255
192.168.5.10 (outside) 1 global net 255.255.255.255
and
static (inside, outside) 1 192.168.5.10 172.16.5.10 net 255.255.255.255
Thank you.
in static reality must be combined with the access list for a two-way communication... You are right in a sense that
public static nat/global access-list =
Basically, the rule is that the traffic is allowed more high to low infterface of default security
BUT
from the lowest to the highest security of communication you need an access as well as the STATIC list
Thank you
Nadeem
-
Public static NAT vs. Access-List
Hello
I have a question what is the best practice static NAT and access list. Example:
Server (192.168.1.1) Web inside to outside (10.10.10.10) with the port 80 and 443.
IP nat inside source static tcp 192.168.1.1 80 10.10.10.10 80
IP nat inside source static tcp 192.168.1.1 10.10.10.10 443 443
Or
IP nat inside source static 192.168.1.1 10.10.10.10
Access-list 101 permit tcp any host 10.10.10.10 eq 80
Access-list 101 permit tcp any host 10.10.10.10 eq 443
interface ethernet0
IP access-group 101 inThank you
The operational reasons - it will break things.
-
Political L2L NAT and static NAT VPN
Here's the scenario: I'm to establish a VPN L2L. When you try to determine who hosts inside my network access hosts on the remote network through the VPN, I can't get a straight answer from officials.
My thought was to use a private network of 10.17.24.0/24 and NAT all hosts on my inside the network to 10.17.24.x. As a side note, the hosts of my inner network can be on any subnet in the beach of 172.12.x.0. I would then put 10.17.24.0/24 in my interesting traffic for my ACL crypto. From the hosts inside my network need to browse Internet AND communicate with hosts on the remote network through the VPN, I was going to try to do this with policy NAT. is it possible to use NAT policy in this case? Or what I need to use static? I start with static but could not navigate the Internet eventually. I know I'm missing something with the static, but can not understand. I'm still pretty new to all this stuff so please forgive my ignorance.
For example:
access-list allowed NAT1 host ip 172.21.1.1 REMOTEL2L_SUBNET
access-list allowed NAT2 host ip 172.21.2.5 REMOTEL2L_SUBNET
access-list allowed host ip 172.21.15.7 REMOTEL2L_SUBNET VIH3static (in, out) 10.17.24.1 access-list NAT1
static (in, out) 10.17.24.2 access-list NAT2
static (in, out) 10.17.24.3 access-list VIH3The above configuration will be NAT 172.21.1.1 to 10.17.24.1 when you go to the remote subnet (across the L2L).
The same behavior for other hosts.
The important thing is that the ACL for crypto will come from the address using a NAT:
list of allowed VPN ip 10.17.24.1 REMOTEL2L_SUBNET host access
list of allowed VPN ip 172.17.24.2 REMOTEL2L_SUBNET host access
list of allowed VPN ip 172.17.24.3 REMOTEL2L_SUBNET host accessOr just the whole subnet:
VPN ip 172.17.24.0 access list allow 255.255.255.0 REMOTEL2L_SUBNET
The important thing is that interesting traffic matches at both ends!
In addition, you can still provide Internet and local as normally...
Internet access:
NAT (inside) 1 172.21.0.0 255.255.0.0
Global 1 interface (outside)
It will be useful.
Federico.
-
Static NAT with the road map for excluding the VPN
We have problems of access to certain IPs NATted static via a VPN. After some research, we have learned that you have to exclude traffic destined for the VPN to the static NAT using a road map. So we did this:
10.1.1.x is the VPN IP pool.
access-list 130 refuse ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 allow ip 192.168.1.0 0.0.0.255 anysheep allowed 10 route map
corresponds to the IP 130IP nat inside source static 192.168.1.5 1.1.1.1 sheep map route
Above worked to fix the VPN but the IP 192.168.1.5 is no longer publicly available via 1.1.1.1. What seems to happen, is that the static NAT is not really work and this IP address is NATted with the IP of PAT.
Any ideas on how to get this to work?
Thank you
DiegoHello
The following example details exactly your case:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml
Try to replace the 192.168.1.0 subnet by the host address.
It should work
HTH
Laurent.
-
Static NAT problem with PIX501
Hi all
We have problems with our PIX firewall. We have configured PIX 501 with static NAT for our Web server. Here's the running configuration.
6.3 (4) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
pixfirewall hostname
domain ciscopix.com
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 101 permit tcp any host x.x.x.26 eq www
access-list 101 permit tcp any host x.x.x.26 EQ field
access-list 101 permit udp any host x.x.x.26 EQ field
pager lines 24
Outside 1500 MTU
Within 1500 MTU
IP address outside x.x.x.28 255.255.255.248
IP address inside 192.168.90.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 192.168.90.0 255.255.255.0 inside
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside, outside) x.x.x.26 192.168.90.3 netmask 255.255.255.255 0 0
Access-group 101 in external interface
Route outside 0.0.0.0 0.0.0.0 x.x.x.25 1
Route inside 192.168.1.0 255.255.255.0 192.168.90.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.90.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Telnet timeout 5
SSH timeout 5
Console timeout 0
Terminal width 80
: end
the problem is the configuration, we are unable to access the web server both inside and outside the network.
All input will be greatly appreciated.
Kind regards
udimpas
activate icmp backtrace and then ping the x.x.x.26 of the internet. the output should be as below:
3363574:-out ICMP echo request: ID = 21834 seq = 1202 length = 80
3363575: ICMP echo request: external untranslating: inside: 192.168.90.3
3363576: ICMP echo-reply from the inside: 192.168.90.3 ID = 21834 seq = 1202 length = 80
3363577: response to ICMP echo -: translate inside: 192.168.90.3 out:
by doing this, you can 1. Check the nat 2. If the server responds to the internet.
do not forget to allow incoming icmp:
access-l 101 permit icmp any one
-
Dual active/passive failover of ISP with static Nat on Cisco 1941
Hello world
I'm working on a configuration of a client and I have everything in place right now except the NAT' static ing. The config fails during an ISP to another and track als and routes by default static weighted, the PAT rocking with course to each interface maps. It is, is it possible to switch on the large amount of static NAT entries to the ISP of backup? So far, everything I've read said no because you can have only one entry per ip/port combo, other than another configuration static NAT double server with a different IP address. I just want to be sure before making my recommendations, all thoughts are greatly appreciated.
Thank you
Brandon
In fact, you can also long as you use standard NAT ("ip nat inside source static") or not NVI ('ip nat static source') for your attackers. You apply the roadmap by the end of the static NAT statement to indicate which interface it should apply to. So, if you have something like this:
ip access-list extended ACL_NAT permit ip 192.168.0.0 255.255.255.0 any ! route-map RM_NAT_ISP1 match ip address ACL_NAT match interface GigabitEthernet0/1 ! route-map RM_NAT_ISP2 match ip address ACL_NAT match interface GigabitEthernet0/2
Using port 80/tcp for example, you can do this:
ip nat inside source static tcp x.x.x.x 80 y.y.y.y 80 route-map RM_NAT_ISP1 ip nat inside source static tcp x.x.x.x 80 z.z.z.z 80 route-map RM_NAT_ISP2
Just replace x.x.x.x with the LAN address of the machine that you are shipping y.y.y.y with the WAN address you are shipping on isps1 and z.z.z.z with the address of the ISP WAN you are shipping on ISP2. The static NAT will be conditional on the roadmap, at this point.
This works with TCP, UDP, and IP forwarding, but does not require that you use an IPv4 address to your WAN address. For some reason, it does not work if you use an interface... so if you're using dynamic addresses, it will be more complicated.
-
VPN with static nat for a whole subnet
Hey there,
For some reason, I can't do this on the router. Errrr...
I'm trying to config a static nat (many to one), which will be in effect only when traffic needs to go on our vpn tunnel to the remote location.
example:
internal LAN 192.168.0.0
remote network: 10.10.10.0 and 10.10.15.0
When traffic passes over the tunnel vpn - at the remote site, I need to translate my internal network (192.168.0.0) to an ip address 172.16.32.65 static
any ideas?
also on my crypto map ACL, which must be specified for interesting traffic? my local network or static ip address search?
Let me know your thoughts on the matter.
Kind regards
R.
NAT you describe is named PAT or overload, at least in terms of Ciscos...
What you need:
(1) a NAT - ACL when you describe your traffic which should be natted.
(2) a nat pool with your 172.16.32.65 address
(3) a statement-NAT for dynamic NAT inside based on the ACL for the pool
Here are some examples:
Your crypto ACL then referred to the NATted IP as NAT happens before encryption.
-
Help with public static functions.
Hey everyone, I worked on a problem for a while and have finally understood just wrong. Google is not helped me to find the right way, so I'm posting it here. I sort of understand what's wrong with my code, but I have no idea how to do right. I'm a total noob to AS3, this is my first project.
I have a main FLA file called game.fla with nothing on the stage, starting with. The document class is Main.as (shown below). The main class is supposed to manage the switching between the preLoader, mainMenu and game itself. The preloader loads and the player must press play to go to the main menu. The main menu is controlled by MainMenu.as, which adds event listeners for buttons game, instructions and credits. At the present time, instructions and credits just draw responses. When you click on play, I want to remove the mainmenu (not a problem with parent.removeChild (this)); and add the game. This is my problem comes in. I can't say parent.addChild (game), because honestly, I don't know how (I need to set a variable in hand or MainMenu and must it be public, static, etc?). Simplicity seems to be a function called initializeGame() that I could simply call of mainMenu. Problem: I have to do a static function, which doesn't let me use addChild, removeChild or any other variable that I create. Could someone please explain how I could do this job (even if it means change my structure. "I would be happy to learn a better way to deal with this kind of thing). Also, on a side note: if I can't use the static function with add or remove a child, can I optimize the effect later? I want later in my game, that I would need to call functions between classes, on a button click, for example, that affect the scene (or objects in the scene). Can I do it another way? For example, by clicking on an icon of the video game card clip, I would map the movieclip to load. A function that could be described seems the best way to do it, but I'm sure he can otherwise. Thank you much in advance. My code is below.
Main.As
package { import flash.display.MovieClip; import flash.events.Event; import flash.events.MouseEvent; public class Main extends MovieClip { private var preLoader:PreLoader; private var mainMenu:MainMenu; private var game:Game; public function Main() { preLoader = new PreLoader; addChild(preLoader); preLoader.gotoAndStop(1); addEventListener(Event.ENTER_FRAME, barLoading); } private function barLoading(event:Event):void { var total:Number = stage.loaderInfo.bytesTotal; var loaded:Number = stage.loaderInfo.bytesLoaded; preLoader.loadingBar.scaleX = loaded/total; if (loaded==total) { removeEventListener(Event.ENTER_FRAME, barLoading); preLoader.gotoAndStop(2); preLoader.doneLoading.addEventListener(MouseEvent.CLICK, doneLoading); loaded = null; total = null; } } private function doneLoading(event:MouseEvent):void { preLoader.doneLoading.removeEventListener(MouseEvent.CLICK, doneLoading); mainMenu = new MainMenu; addChild(mainMenu); removeChild(preLoader); } static public function initializeGame():void { game = new Game; removeChild(mainMenu); addChild(game); } } }
MainMenu.as
package { import flash.display.MovieClip; import flash.events.Event; import flash.events.MouseEvent; public class MainMenu extends MovieClip { public function MainMenu() { playGameButton.addEventListener(MouseEvent.CLICK, playGameButtonFunction); instructionsButton.addEventListener(MouseEvent.CLICK, instructionsButtonFunction); creditsButton.addEventListener(MouseEvent.CLICK, creditsButtonFunction); } private function playGameButtonFunction(event:MouseEvent):void { playGameButton.removeEventListener(MouseEvent.CLICK, playGameButtonFunction); instructionsButton.removeEventListener(MouseEvent.CLICK, instructionsButtonFunction); creditsButton.removeEventListener(MouseEvent.CLICK, creditsButtonFunction); } private function instructionsButtonFunction(event:MouseEvent):void { instructionsButton.removeEventListener(MouseEvent.CLICK, instructionsButtonFunction); trace("instructions"); } private function creditsButtonFunction(event:MouseEvent):void { creditsButton.removeEventListener(MouseEvent.CLICK, creditsButtonFunction); trace("credits"); } } }
In addition, anny comments on my coding habits and how to improve are welcome.
in the hand
var preloader: Preloader = new Preloader (();)
preloader.addEventListener ("preloadCompleted", preloadCompletedF);
in the Preloader, loading complete:
this.dispatchEvent (new Event ("preloadCompleted"));
-
Hi all
I have the following situation
The following rules of the static nat
static (inside, outside) tcp 200.200.200.200 80 10.0.0.200 80 netmask 255.255.255.255
static (inside, outside) 200.200.200.200 tcp 8080 10.0.0.200 80 netmask 255.255.255.255
I would redirect all packets destined for port 8080 and 80 IP address 200.200.200.200,
to the private IP address on port 80 10.0.0.200.
I tried to do that the ASA said there is already a rule, there is a way it be done?
Kind regards.
I don't think you can use port forwarding using the same local destination IP on port 80 in this way, fw will give you duplicate static entries.
You can however get around and give 10.0.0.200 NIC a secondary IP address i.e. 10.0.0.201 and make electricity as follows.
static (inside, outside) tcp 200.200.200.200 www 8080 10.0.0.201 netmask 255.255.255.255
static (inside, outside) tcp 200.200.200.200 80 10.0.0.200 80 netmask 255.255.255.255
See examples of port forwarding
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml
concerning
-
Static nat problem on ASA (v8.2)?
Tring to add a new rules static nat, but it seems that I have a not able to do
Public IP 10.10.10.10
20.20.20.20 inside the LAN IP address
try adding:
FW (config) # static (inside, outside) tcp 10.10.10.10 https 20.20.20.20 https netmask 255.255.255.255
ERROR: mapped address conflict with existing static
inside: 20.20.20.20 outside: 10.10.10.10 netmask 255.255.255.255
The rule with the same public IP already existing, but pointing to the different internal LAN IP address:
static (inside, outside) 10.10.10.10 20.20.20.21 netmask 255.255.255.255
Please advice how to solve this problem.
Thank you!
Hi Vuèko,
Please change your existing static nat to a particular port instead of letting it as ip to ip nat.
"static (inside, outside) 10.10.10.10 20.20.20.21 netmask 255.255.255.255".
And then you can add second static nat to a different IP address (i.e. within the intellectual property) and it will take it and it should work.
Thank you
Rizwan Muhammed.
-
Apart from the demilitarized zone or static NAT?
Hello!
I'm trying to implement the static translation from outside my network in DMZ. I tried with nat, global and static use but failed with both. The problem is that packets are go to the servers in the DMZ but nothing is returned to the sender. Also, when I try to access a Web server in DMZ I get SYN timeout.
The traffic of my LAN (inside) local DMZ works as it should however.
-Important conf--->
access-list ON scope allowed any ip a
Global interface (dmz) 12
NAT (outside) - 12 OUT out access list
Access-group OUT in the interface outside
no nat control
-more than information--->
Interior - the security of IP 10.0.13.1 level 100
DMZ - security level 50, IP 172.16.13.1
outer - level 0, the security of IP 192.168.13.2
Bastionhost = Web server
-See the nat--->
Policy NAT outside interface:
match any ip outside any demilitarized zone
dynamic translation to the pool of 12 (172.16.13.1 [Interface PAT])
translate_hits = 2, untranslate_hits = 0
When I used static instead of nat, overall I had so many untranslate_hits I sent to servers in DMZ.
-Debug--->
Built dynamic TCP translation of outside:192.168.13.5/1316 to dmz (OUT): 172.16.13.1 / 1028
Built of 469 for incoming TCP connections to dmz:bastionhost (172.16.13.1/1028) outside:192.168.13.5/1316 / (bastionhost/80) 80
Disassembly of the TCP dynamic translation of outside:192.168.13.5/1317 to dmz (OUT): 172.16.13.1 / 1029 0 duration: 00:39
Disassembly TCP 473 for outside:192.168.13.5/1318 to dmz:bastionhost connection / 80 0 duration: 00:30 bytes 0 SYN Timeout
Thank you.
Your following config is fine, your bastionhost here with a public IP address of mapping that will allow the access server to the internet as well.
allowed any icmp extended WEB access list a--> add this option to test accessibility outside bastionhost / internet and remove it later.
IP any host 192.168.14.5-> or add 'eq www' to specify the port allow Access - list extended WEB.
static (dmz, outside) tcp 192.168.14.5 www bastionhost www netmask 255.255.255.255
group-access WEB interface outside
You can omit the next part that meant allowing internet access only, bastionhost not allowing users to access.
Global 1 192.168.14.5 (outside)
NAT (dmz) 1 bastionhost 255.255.255.255
BTW, what is the State of the road looks like?
-
Cisco IOS - how config static nat to NAT on the VPN
Hello world
I need help.
I configured a VPN site-to site between two routers IOS. One of the routers already had a static NAT (172.16.100.1 inside to the public IP address), but this static NAT prevents remote VPN hosts access to the 172.16.100.1 home as it tries to the response to public IP NAT router configured.
Does anyone know how to use static NAT for the inside to the outside, but don't not NAT inside to outside VPN traffic?
I know how to make using a roadmap for "overload" dynamic NAT, but I can't? t see how you can use a roadmap on the static NAT statement.
You can provide any help would be appreciated.
Chris
Hi Chris
Take a look at the document atatched with gives a few examples of the very thing you are trying to do.
http://www.Cisco.com/en/us/products/SW/iosswrel/ps1839/products_feature_guide09186a0080087bac.html
HTH
Jon
-
Cannot ping via the VPN client host when static NAT translations are used
Hello, I have a SRI 3825 configured for Cisco VPN client access.
There are also several hosts on the internal network of the static NAT translations have a services facing outwards.
Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.
For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.
Any help would be appreciated.
Concerning
!
session of crypto consignment
!
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group vpnclient
key S3Cu4Ke!
DNS 192.168.1.1 192.168.1.2
domain domain.com
pool dhcppool
ACL 198
Save-password
PFS
netmask 255.255.255.0
!
!
Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac
!
Crypto-map dynamic dynmap 10
86400 seconds, life of security association set
game of transformation-3DES-SECURE
market arriere-route
!
card crypto client cryptomap of authentication list drauthen
card crypto isakmp authorization list drauthor cryptomap
client configuration address card crypto cryptomap answer
map cryptomap 65535-isakmp ipsec crypto dynamic dynmap
!
interface GigabitEthernet0/0
NAT outside IP
IP 1.2.3.4 255.255.255.240
cryptomap card crypto
!
interface GigabitEthernet0/1
IP 192.168.1.254 255.255.255.0
IP nat inside
!
IP local pool dhcppool 192.168.2.50 192.168.2.100
!
Note access-list 198 * Split Tunnel encrypted traffic *.
access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255!
Note access-list 199 * NAT0 ACL *.
access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any!
Sheep allowed 10 route map
corresponds to the IP 199!
IP nat inside source map route sheep interface GigabitEthernet0/0 overload!
IP nat inside source static 192.168.1.1 1.2.3.5
IP nat inside source static 192.168.1.2 1.2.3.6The problem seems to be that static NAT take your nat exemption.
The solution would be:
IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
IP nat inside source static 192.168.1.2 1.2.3.6 sheep map routeHTH
Herbert
-
Two static NAT/PAT instructions
Hello
I have a PIX 515 running PIX OS 7.0, and I have a server behind the PIX with a static translation entry.
I was invited as a remote site must connect to the SQL service running on this computer, but the site connects to a non Standard-SQL TCP port, so I thought that I can use a static PAT (port forwarding), but I wonder... can I keep the existing static NAT and add the static PAT? !!! Furthermore, the rest of the remote sites will connect to the same SQL service on the standard port and there are more services running on the server that will be accessible from the outside.
The server is online, so I won't add the static PAT before you make sure that it will run smoothly...
Thnx, Salem.
Hi Salem,
First, I entered this static NAT command:
static (inside, outside) 1.2.3.4 10.0.0.1 netmask 255.255.255.255
This static PAT order tracking:
static (inside, outside) tcp 1.2.3.4 http 10.0.0.1 netmask 255.255.255.255 http
and got this error message:
ERROR: mapped address conflict with existing static
This suggests that it is not possible.
Kind regards
Tom
Maybe you are looking for
-
Shot on Photos in iCloud on Mac by mistake and lost all the photos on Mac - Help!
Do not think, I clicked Photos in iCloud as it was checked, and then when I plugged in my phone, all my photos on my Mac has disappeared and a were replaced by the Photo library that I have on my iPhone. How can I get my pictures back? What I can? Th
-
Which versions of Android application mobile Firefox is compatible?
I have a LG Optimus L (LS670 and apparently Android 2.3 version) and Google game shows the plug is not compatible with my phone.
-
Is this an authentic message or scam?
I received this email and I was wondering if it was genuine or a scam? HP discovered that some P66xx and S56xx and desktop HPE - 4xxModels built in June / July 2010 deadline have maps systemwith a slightly higher than expected failure rates. Based on
-
How to slow down the audio Windows Player speed, for language learning purposes?
How to slow down the audio Windows Player speed, for language learning purposes?
-
HP Photosmart A510: Hp Photosmart A510 Error Message SD HD card
I have a Nikon Cool Pix using a 32 GB SDHC card. I get the card access error. See owners manual error. I followed the instructions and formatted the card once again lose all my photos stored. Then I checked the tab on the SD card was not in the locke