2 static NATs work. 3rd static NAT doesn't.

Discussion in 'Cisco' started by smartin, Sep 22, 2007.

  1. smartin

    smartin Guest

    Hello all,

    I have spent a lot of time on this and seem to be missing something.
    Any technical knowledge and help will be greatly appreciated.

    I have pasted our PIX config below. You see three static NATs
    configured. The first two work great. The 3rd static NAT is new, and
    the config below isn't working right, and actually causes the internal
    host to lose Internet connectivity. The new static NAT is the one for
    global IP 216.xxx.xxx.243. What is wrong?


    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password o6XhYX4TSmjifHY0 encrypted
    passwd o6XhYX4TSmjifHY0 encrypted
    hostname PIX
    domain-name xxx
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    no fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.2.2 server
    access-list inetACL permit tcp any host 66.xxx.xxx.150 eq smtp
    access-list inetACL permit tcp any host 66.xxx.xxx.150 eq 3389
    access-list inetACL permit tcp any host 66.xxx.xxx.150 eq pop3
    access-list inetACL permit tcp any host 66.xxx.xxx.150 eq www
    access-list inetACL permit udp any host 66.xxx.xxx.150 eq domain
    access-list inetACL permit tcp any host 66.xxx.xxx.150 eq domain
    access-list inetACL permit icmp any host 66.xxx.xxx.150
    access-list inetACL permit tcp any host 66.xxx.xxx.187 eq 3389
    access-list inetACL permit tcp any host 66.xxx.xxx.150 eq https
    access-list inetACL permit tcp any host 216.xxx.xxx.243 eq 3389
    access-list inetACL permit icmp any host 216.xxx.xxx.243
    pager lines 24
    logging on
    logging buffered informational
    logging trap debugging
    logging facility 16
    logging device-id hostname
    logging host inside server 17/1025 format emblem
    mtu outside 1500
    mtu inside 1500
    ip address outside 66.xxx.xxx.186 255.255.255.0
    ip address inside 192.168.2.253 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location server 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 66.xxx.xxx.150 server netmask 255.255.255.255
    0 0
    static (inside,outside) 66.xxx.xxx.187 192.168.2.9 netmask
    255.255.255.255 0 0
    static (inside,outside) 216.xxx.xxx.243 192.168.2.7 netmask
    255.255.255.255 0 0
    access-group inetACL in interface outside
    route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.193 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.2.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
     
    smartin, Sep 22, 2007
    #1
    1. Advertisements

  2. smartin

    Brian V Guest

    Where are you getting the 216.X..243 address from? Did your ISP just give it
    to you? If they just gave it to you are you routing it on your internet
    router to the Pix? There is nothing wrong with the Pix config IF that is
    your address and is being routed properly to the Pix.
     
    Brian V, Sep 22, 2007
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.