Static translation PIX

Just a quick question I have if I'd put on the table. I have a Pix 515, with a total of four DMZ. I had to configure static mappings in the DMZ for some servers. Here's my question. There are three types of static translations:

High and low note see security levels.

1. static (high, low) high low

2. static (high, low) high high

3. ????

What is the third static confgiuration and that it would be used for.

Thanks in advance

Like this?

http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/cmdref/s.htm#1026694

Happy, we could help.

Scott

Tags: Cisco Security

Similar Questions

Configuration of static translation "inverted".

I am trying to configure a PIX with static translation "inverted".

If I understand correctly, with conventional static translation if I want my host (10.10.10.10) inside to be 'visible' on the external interface like 192.168.5.5), would be my config: -.

public static 192.168.5.5 (Interior, exterior) 10.10.10.10 netmask 255.255.255.255

However, I have an external host (203.203.203.203) I want to be 'visible' inside interface as 10.10.11.11. I would have thought the config would be: -.

public static 10.10.11.11 (exterior, Interior) 203.203.203.203...

but it does not work. Is this possible and if so, how?

Thanks to advnance.

Jon

FYI, here is a good URL.

http://www.Cisco.com/warp/public/707/28.html#topic12

Maximum static translations

Hi all

I have a 520 PIX with 16 MB of flash and 128 MB of ram. No one knows what the maximum number of static translations, you can have in the configuration. I would like to translate staticly class B around just for outgoing traffic.

Thank you

Steve

Hello

The amount of static translation depends on the size of the RAM that you encounter. each translation to 128 bytes of memeory... maybe it is useful for your

calculating...

Concerning

Pauline

Overview of the translation pix

Hi guys,.

I'm after an explanation on how to use static and dynamic translation on a PIX. I have read a few books and a few documents of cisco, but all explain the syntax and its setting. So now I'm more confused than any other time, like all the books explained in a different way

What I'm after is a view of this topic. For example, if we have below:

public static 172.16.20.1 (exterior, Interior) 192.168.1.1 255.255.255.255 subnet mask

What does mean exactly?

This means, translate the inside IP 192.168.1.1 to 172.6.20.1 when it requires access to the outside? Or it means something else.

I understand that it is mandatory to use (dynamic or static) translation of a low security at the high security level. Also I have heard, you have either the translation or NAT when you go between 2 levels of security! Is this true and what are the real rules here?

I'm not just after a good document which explains the concepts of syntax.

If someone out there has come on this doco, I strongly appreciate it if they can share the link with me

See you soon,.

Daniel

Hi Daniel,.

Please read online:

Requirements of security level high low security:

1-mandatory: static or dynamic - favorite - translation

Yes (for 6.3 code you can use static NAT 0, NAT, NAT/global exemption.) Code 7.0 and later versions, you can use? NAT-control? or not? NAT - control?)

2. Optionally: access list access

Yes (by default all traffic is allowed, if you want to filter access you would use an ACL, but don't forget that the ACL has implicit deny at the end)

Low security at the high security level requirements:

1-mandatory: static translation

Yes and no instead of using a static translation, you can use NAT exemption, for example, it depends on your needs but I recommend toget use static translations.

2-mandatory: access list access

Yes

In the 2 cases above, we write:

Static (high s interface, low s interface) "IP to be translated to ' 'real ip address.

That is, static (inside, outside) 172.1.1.1 10.120.1.1 netmask 255.255.255.255

to allow outside access to our web server internal using 172.1.1.1 who did a local IP 10.120.1.1

Yes, but don't forget the other 50% of the configuration which is the ACL. Something like:

Access list allow the permit tcp any host 172.1.1.1 eq 80

Access-group allow in outside interface

The first rule allows? everything? the public access network host to? 172.1.1.1? on TCP on port 80

The second statement applies the rule to the external interface

The above static command can also be interpreted as: If the check box 10.120.1.1 is to have access to the outside, and then translated his IP to 172.1.1.1, right?

Yes

Now, if you need to translate an address (209.165.202.1) outside on his way inside (192.168.10.1), we write:

Public static 192.168.10.1 (exterior, Interior) 209.165.202.1 netmask 255.255.255.255

What? s called NAT outside and can get a little complicated. Unfortunately, it? s no document that explains it properly then let me put one up for you and send it later

The confusion only I had, is with static (inside, outside). I always thought that it is used that in one sense-from the inside to the outside. that is, for the outside entrance indoors, but as I read it is used in the other way too.

The rule of static translation is bidirectional, so access is allowed from high to low and low top

Let me know if you need more information.

Franco Zamora

Static translation with Port forwarding

Hello

I have a scenario in which two public ip address (the one with HTTP requests & other with query SMTP/SSL for OWA) must be translated on a single inside the ip of the ISA Server in the DMZ. Please suggest which is the best practice. I know that we cannot do a NAT because the two addresses ip cannot translate into one. Use the static translation with forwarding Port of best practice to access the ISA server for OWA? What is the best security that can be applied at the moment? I'm going to redirect only requests to port 80,8080,25,443,110. I'll also create access list to only allow as these ports.

I need to recommend this to a client. Please advice.

Thank you

Kevin

Port forwarding is the best way to go here. As you already know, you can enter a static for two outside IP pointing to an inside (or vice versa), but statically mapping ports just will be fine. Similarly, simply allow these ports in your incoming ACL and you'll be good to go.

You want something like the following:

static (inside, outside) tcp XXX1 80 a.a.a.1 80

static (inside, outside) XXX1 8080 a.a.a.1 8080 tcp

static (inside, outside) tcp x.x.x.2 25 a.a.a.1 25

static (inside, outside) tcp x.x.x.2 110 a.a.a.1 110

public static x.x.x.2 a.a.a.1 443 tcp (indoor, outdoor) 443

list of allowed inbound tcp access any host XXX1 eq 80

list of allowed inbound tcp access any host XXX1 eq 8080

list of allowed inbound tcp access any eq 25 x.x.x.2 host

list of allowed inbound tcp access any host x.x.x.2 eq 110

list of allowed inbound tcp access any host x.x.x.2 eq 443

Access-group interface incoming outside

where x.x.x. [1 | 2] is your public IP address and a.a.a.1 your home server.

static routes - PIX outside address

I tried to get a configuration (PIX501) which allows inside customers access to the outside and also allowing outside access to a smtp mail server in-house. From what I tried, it seems that I can't use the external IP address of the pix for the static control (indoor, outdoor). If I do other client access to the outside world is denied.

So far I couldn't find any documentation about it. Can someone point me in the right direction plse?

Hi morris,.

I Don t know what the other guys are talkin´about, but it seems to me that they do not exactly understand your question and provide you with wrong information.

In my opinion you want to translate all your inside source of addresses to the address of interface outside. It is already well configured, I saw in your config file. Indeed, these two commands are correct:

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

What bothers you is you want your mail server to be accessible from the outside to the inside for SMTP. The command you tried is:

public static interface (inside, outside) MyServer netmask 255.255.255.255

And it does not work.

The command you need is the following:

public static 25 25 MyServer netmask 255.255.255.255 interface tcp (indoor, outdoor)

This static creates the translation for tcp port 25 (smtp) outside address to port 25 of your inside the server interface.

I advice lets you modify the line "access-list permits outside_access_in tcp any any eq smtp" in "outside_access_in of the list of permitted access tcp any host 209.164.3.5 eq smtp".

Put all together, modifications, you must perform:

not static (inside, outside) interface MyServer netmask 255.255.255.255

public static 25 25 MyServer netmask 255.255.255.255 interface tcp (indoor, outdoor)

no access list outside_access_in not allowed tcp any any eq smtp

outside_access_in list access permit tcp any host 209.164.3.5 eq smtp

Finally make a clear xlate and it will work.

Best regards and good luck,

Leo

DNS and static translations

I have a web server on my dmz. On the demilitarized zone, the computers cannot be accessed by name. The problem is that DNS returns the ip (real) outside. I need the demilitarized zone to translate it into a local ip address. I use the MDP so I'm not using aliases. Any help would be appreciated.

You can do this with the [static] commands and the "dns" option

static (dmz, outside) 123.123.123.123 192.168.1.1 dns netmask 255.255.255.255 [keyword dns tells the pix to DNS doctoring for this translation because DNS resolves the public IP address]

static (dmz, inside) 123.123.123.123 192.168.1.1 subnet 255.255.255.255 mask [allows the internal hosts to connect to the public IP found in DNS and it translates the private IP on the way to the demilitarized zone]

Make sure you do a [clear xlate] after the changes.

If you are running under 6.2, you will have to make any [alias] on the Pix.

Statics of PIX & ACL

Who is first on one filter access inbound (IN group-access in the interface to the outside): static or ACL?

For example...

Let's say I want to redirect all outside hosts trying to reach 10.7.7.21 in DMZ7 to use 192.1.24.21...

static (DMZ7, Outside) 192.1.24.21 10.7.7.21 netmask 255.255.255.255

Now, I want to only allow outside users to use HTTP on the redirected host DMZ7 10.7.7.21 on 205.15.25.0/24.

Since 10.7.7.21 has been translated into 192.1.24.21 use...

access-list to permit tcp 205.15.25.0 0.0.0.255 host 10.7.7.21 eq www

OR

access-list to permit tcp 205.15.25.0 0.0.0.255 host 192.1.24.21 eq www

TIA

Because this access list is bound to the external interface, you need the IP address that corresponds to the external interface. So your second line of the access list should be correct.

access-list to permit tcp 205.15.25.0 0.0.0.255 host 192.1.24.21 eq www

PIX 515 (7.02) and the translation of static port

Just try to transfer a foreign port int-> device sitting on 'inside' Interface, but do what following in the logs:

% 106006-2-PIX: Deny UDP incoming from 66.21.215.238/50507 to client_routable_address/6881 on the interface outside

% 106006-2-PIX: Deny UDP incoming from 62.141.54.206/6881 to client_routable_address/6881 on the interface outside

% 106006-2-PIX: Deny UDP incoming from 84.217.31.157/6881 to client_routable_address/6881 on the interface outside

The Config:

access-list 101 extended permit icmp any any echo response

access-list 101 extended permit icmp any any source-quench

access-list 101 extended allow all unreachable icmp

access-list 101 extended permit icmp any one time exceed

access-list 101 extended permit tcp any host client_routable_address eq 6881

access-list 101 extended permit udp any host client_routable_address eq 6881

Global (outside) 3 client_routable_address

NAT (BCM) 3 0.0.0.0 0.0.0.0

static (BCM, outside) 192.168.20.10 tcp 6881 6881 netmask 255.255.255.255 client_routable_address

static (BCM, outside) udp 192.168.20.10 6881 6881 netmask 255.255.255.255 client_routable_address

Access-group 101 in external interface

Static translations are there at the "show xlate:

# sh xlate

50 in use, most used 957

Client_routable_address (6881) Local 192.168.20.10 (6881) Global PAT

Client_routable_address (6881) Local 192.168.20.10 (6881) Global PAT

ACL 101 "6881" entries are not to get hit if:

# See the access list 101

access list 101; 7 elements

allowed for line 101 1 extended icmp access list any entire echo response (hitcnt = 0)

line of the access list 101 permit extended 2 icmp any any source-quench (hitcnt = 10)

extended all licences for line 101 3 access list all unreachable icmp (hitcnt = 10279)

line 4 extended access list 101 allow icmp all a time exceeded (hitcnt = 265)

allowed for line of the access list 101 5 scope tcp any host client_routable_address eq 6881 (hitcnt = 0)

allowed for line in the list of 101 6 extended access udp any host client_routable_address eq 6881 (hitcnt = 0)

Am I missing something obvious?

Hello

I think you've got your STATIC reversed lines, they must be:

static (BCM, external) client_routable_address tcp 6881 192.168.20.10 6881 netmask 255.255.255.255

Assuming that 'client_routable_address' is your public IP and the BMC is your 'inside' or the 'DMZ' interface

Salem.

PIX 6.3 address "static" overlap?

Hello!

Our DMZ subnets are part of our class 'inside' the B network definition, like this:

static (dmzMail, outsideBelwue) 1.2.240.60 1.2.240.60 netmask 255.255.255.255 0 0

[...]

static (dmzMail, outsideBelwue) 1.2.240.52 1.2.240.62 netmask 255.255.255.255 0 0

static (inside, dmzMail) 1.2.0.0 1.2.0.0 mask 255.255.0.0 subnet 0 0

static (inside, outsideBelwue) 1.2.0.0 1.2.0.0 mask 255.255.0.0 subnet 0 0

NAT (inside) 0 1.2.0.0 255.255.0.0 0 0

NAT (dmzMail) 0 1.2.240.32 255.255.255.224 0 0

This is an illegal address overlap?

Well, it is a banner on the NAT commands and will not work.

Let´s through your config proposed and explain why it is not correct (it might help to understand the behaviour of PIX), so I'll quote some things and explain.

static (dmzMail, outsideBelwue) 1.2.240.60 1.2.240.60 netmask 255.255.255.255 0 0

Fix. The PIX creates a static translation, knows that the address 1.2.240.60/32 is on the interface dmzMail and proxy-ARP for this address 1.2.240.60/24 on the outsideBelwue interface.

static (dmzMail, outsideBelwue) 1.2.240.52 1.2.240.62 netmask 255.255.255.255 0 0

I think you made a small typo here (52 to 62 static?), but this one is (like the first) correct.

static (inside, dmzMail) 1.2.0.0 1.2.0.0 mask 255.255.0.0 subnet 0 0

Here you get some problems, if you go to the value of it. Why?

Well, with this line of config you actually tell the PIX all networks of 1.2.0.0/16 are within the interface (and remember, you said with the two previous commands that two addresses within this space were actually on the dmzMail).

Based on this the PIX will be proxy-ARP for all addresses in 1.2.0.0/16 on the dmzMail, also for the 1.2.240.0/24 subnet interface (I think it's the subnet on your dmzMail segment)

The situation you´re with this config is also known under the name of statements of NAT that overlap, which can be a bitch to solve problems in complex configurations and PIX´s with a lot of traffic.

Best thing to do here is use the smallest subnet mask and only the static value inside for the subnets within the range which are actually used

inside the interface. I know, you have to do a few hits more: s

If you do it this way, you need not the command nat 0, causes the PIX already translations in the xlate due table static controls in place, so that users will already be able to start sessions.

I hope this helps. If further help is needed, feel free to ask.

Kind regards

Leo

It's the same thing for the last static command

PIX and ASA static, dynamic and RA VPN does not

Hello

I am facing a very interesting problem between a PIX 515 and an ASA 5510.

The PIX is in HQ and has several dynamic VPN connections (around 130) and IPsec vpn remote works very well. I had to add a PIX to ASA L2L VPN static and it does not work as it is supposed to be. The ASA 5510, at the remote end, connects and rest for a small period of time, however, all other VPN connections stop working.

The most interesting thing is that ASA is associated with the dynamic map and not the static map that I created (check by sh crypto ipsec his counterpart x.x.x.x). However, if I make any changes in the ACL 'ACL-Remote' it affects the tunnel between the PIX and ASA.

Someone saw something like that?

Here is more detailed information:

HQ - IOS 8.0 (3) - PIX 515

ASA 5510 - IOS 7.2 (3) - remote provider

Several Huawei and Cisco routers dynamically connected via ADSL

Several users remote access IPsec

A VPN site-to site static between PIX and ASA - does not.

Here is the config on the PIX:

Crypto ipsec transform-set ESP-3DES-ESP-SHA-HMAC-IPSec esp-3des esp-sha-hmac

Dyn - VPN game 100 Dynamics-card crypto transform-set ESP-3DES-ESP-SHA-HMAC-IPSec

Crypto dynamic-map Dyn - VPN 100 the value reverse-road

VPN - card 30 crypto card matches the ACL address / remote

card crypto VPN-card 30 peers set 20 x. XX. XX. XX

card crypto VPN-card 30 the transform-set ESP-3DES-ESP-SHA-HMAC-IPSec value

VPN crypto card - 100 - isakmp dynamic Dyn - VPN ipsec

interface card crypto VPN-card outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 65535

preshared authentication

3des encryption

sha hash

Group 2

life 86400

access list ACL-remote ext ip 10.0.0.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

Thank you.

Marcelo Pinheiro

The problem is that the ASA has a crypto acl defined between host and network, while the remote end has to the network.

Make sure that the acl is reversed.

Termination of VPN on Pix behind router IOS with private subnet

OK, basically, I wonder if it is possible to terminate a VPN connection on a Pix 506 Firewall which is behind a router IOS. The public interface of the Pix 506 have a private on a 29 ip address will IOS within the interface. Network is configured as follows:

Internet as 10Base T

| (5 public - X.X.X.34. 38)

| (In WIC-1ENET)

| (.34 assigned to interface)

Cisco 1760

| (Pomp) | (WIC-4PORTSWITCH)

| | (10.0.0.1 29 on 1760)

Net private Pix 506

(192.168.1.0) (10.0.0.2 29 on Pix)

Now, two internal interfaces of the 1760 are configured to PAT on the IP of the interface of the 1760 and all internet traffic goes perfectly. None of the access lists are currently applied anywhere on the 1760 and a static translation on the 1760 is configured pour.35 to 10.0.0.2 ('public' ip pix). RDP and other services authorized in the pix access list work perfectly well from the outside world when you enter a.35, but if I try to terminate a VPN from a pix 501 for the pix 506 offsite using the Intellectuelle.35 property, it does not work.

Is it possible to do this type of work setting.

I realize I could put an external switch to 1760 and run the public subnet directly and individually in the 1760 and Pix 506, however, I really would prefer not no need to do so if it is possible to avoid it.

Remove the crypto map to the interface on the PIX and reapply.

port forwarding static pix501

Hello!

I really made efforts to make this work, but without success.

What I'm trying to do is a port forwarding on tcp 4899. I searched forums, read articles and the manual, but it doesn't really work.

Topology: Pix ISP modem DSL - lan

Here is the config of my pov, working the 'best '.

: Saved

:

6.3 (1) version PIX

interface ethernet0 car

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

enable password xxxx

passwd xxx

pixfirewall hostname

domain ciscopix.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

names of

access-list 101 permit tcp any host xx.xx.xx.245 eq 4899

pager lines 24

information recording console

Outside 1500 MTU

Within 1500 MTU

IP address outside xx.xx.xx.244 255.255.255.240

IP address inside 192.168.29.91 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 xx.xx.xx.245 (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside, outside) tcp xx.xx.xx.245 4899 192.168.29.4 4899 netmask 255.255.255.255 0 0

Access-group 101 in external interface

Route outside 0.0.0.0 0.0.0.0 xx.xx.xx.241 1

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Enable http server

http 192.168.29.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd address 192.168.29.92 - 192.168.29.123 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd outside auto_config

Terminal width 80

Cryptochecksum:xxxx

: end

Here's a log of what happens when I try to establish a connection.

609001: built internal local host: 192.168.29.4

305011: built a static TCP translation of inside:192.168.29.4/4899 to outside:xx.xx.xx.245/4899

302013: built of TCP connections incoming 582 for outside:yy.yy.yy.51/3289 (yy.yy.yy.51/3289) at inside:192.168.29.4/4899 (xx.xx.xx.245/4899)

302014: disassembly of the TCP connection 582 for outside:yy.yy.yy.51/3289 to inside:192.168.29.4/4899 duration 0:02:01 bytes 0 SYN Timeout

305012: static translation TCP disassembly of inside:192.168.29.4/4899 to outside:xx.xx.xx.245/4899 duration 0:02:15

And IMO it looks as it should? But there is no data flow.

Thank you! Peter

Are you sure that the service is running on 192.168.29.4? "bytes 0 SYN Timeout"reveals as no response was sent from inside.

After you add the static statement, did you make a clear xlate or restart the pix to reset the table of translation slot? (clear xlate is preferred, but naturally a reboot will be wipe off the table)

VPN site to Site with NAT (PIX 7.2)

Hi all

I hope for more help with config PIX. TBH I would classify myself as a newb on PIX, only dabbling in it every 6 months or so...

I have to configure a VPN site-to site between our UK and US Office, to replace our frame relay link. I have configured multiple VPN site to site on the before PIX, so am reasonably okay with the appearance of the config of who. What is a new concept for me is the needs of NAT'ing between the IPSEC tunnel.

The U.S. Agency requires us to NAT source addresses (i.e. 192.168.1.0) usable on their side address (i.e. 143.102.89.0). The tunnel must then be set to encrypt traffic between 143.102.89.0/24 and 172.24.0.0/14.

I added the following config and hoping to test it at the U.S. office happens online today.

If I Ping from 192.168.1.0 to 172.24.x.x source and run a SH NAT inside, the NAT translation seems good.

is the intellectual property inside 192.168.1.0 255.255.255.0 outside 172.24.0.0 255.252.0.0
static translation at 143.102.89.0
translate_hits = 4, untranslate_hits = 0

Could someone please go through the following lines of config and comment if there is no error?

Thank you very much

Kevin

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

IP 143.102.89.0 allow Access-list ipsec - dallas extended 255.255.255.0 172.24.0.0 255.252.0.0

policy-nat-dallas-list of allowed extensive access ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0

public static 143.102.89.0 (inside, outside) - list of access policy-nat-dallas

Crypto ipsec transform-set esp-3des esp-md5-hmac 3desmd5set

card crypto map dyn 40 correspondence address ipsec - dallas

set dyn-map 40 crypto map peer 143.101.6.141

card crypto dyn-map 40 transform-set 3desmd5set

dyn-map interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

tunnel-group 143.101.6.141 type ipsec-l2l

IPSec-attributes tunnel-group 143.101.6.141

pre-shared-key *.

You can configure NAT/Global pair for the rest of the users.

For example:

You can use the initially configured ACL:

policy-nat-dallas-list of allowed extensive access ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0
NAT (inside) 1 access list policy-nat-dallas

Global 1 143.102.89.x (outside)

The static statement that you configured previously will take precedence over the above. So the printer gets statically using a NAT to 143.102.89.10, and the rest can do another ip address 143.102.89.x PATed.

Please note that for PAT, traffic can only be initiated from 192.168.1.0/24 LAN to 172.24.0.0/14, not the other way around.

Hope that helps.

PIX with VPN to Checkpoint with overlapping subnets

I have a client with a PIX runs code 6.3.

They need establish an IPSec Tunnel for one of its customers with a Checkpoint firewall.

Both organizations use 10.1.0.0/16 and I'd like to nat to 10.180.0.0 Home Office 16 and the remote client to 10.181.0.0.

The document on the site Web of Cisco PIX and VPN concentrators is less useful. I don't think the text describing the image is correct.

Help with ACL and static NAT is greatly appreciated.

Frederik

Apologies, should have asked. Which office has the pix and the control point. I write this as if the two ends were firewall pix so that's fine and we can see if that helps.

Remote endpoint

==========

NAT 10.1.0.0 ip access list allow 255.255.255.0 host 10.180.1.103

NAT (inside) 3 access list NAT

Global (outside) 10.181.0.0 255.255.0.0

NOTE: You could really just NAT addresses 10.1.x.x from source to a global IP address rather than the whole 10.181.0.0/16 up to you.

Your card crypto access list must then refer to the addressing of Natted 10.181.x.x rather than the 10.1.0.0 address.

vpntraffic list access ip 10.181.0.0 255.255.0.0 allow host 10.180.1.103

Main office

===========

crpyto-access list should read

vpntraffic list allowed access host 10.180.1.103 ip 10.181.0.0 255.255.0.0

And you will need a static translation for client access

public static 10.180.1.103 (Interior, exterior) 10.1.1.103 netmask 255.255.255.255

Does that help?

Jon

Static translation PIX

Similar Questions

Maybe you are looking for