config Question

[dkamp]

Please answer a question for me........
When the global command is used, and the NAT command, do the numbers have to match?
Example I have these cmds:

global (outside) 1 X.X.X.10
global (outside) 2 X.X.X.11
global (outside) 3 X.X.X.19
global (outside) 4 X.X.X.17
global (outside) 5 X.X.X.20
global (outside) 6 X.X.X.21
global (outside) 7 X.X.X.22
global (outside) 9 X.X.X.23
nat (inside) 1 10.100.1.1 255.255.255.255
nat (inside) 2 10.100.1.3 255.255.255.255
nat (inside) 3 10.100.1.4 255.255.255.255
nat (inside) 4 10.100.1.5 255.255.255.255
nat (inside) 5 10.100.1.6 255.255.255.255
nat (inside) 6 10.100.1.7 255.255.255.255
nat (inside) 7 10.100.1.8 255.255.255.255
nat (inside) 8 10.100.1.9 255.255.255.255
nat (inside) 9 10.100.1.0 255.255.255.0
static (inside,outside) X.X.X.19 10.100.1.3 netmask 255.255.255.255
static (inside,outside) X.X.X.17 10.100.1.4 netmask 255.255.255.255
static (inside,outside) X.X.X.20 10.100.1.5 netmask 255.255.255.255
static (inside,outside) X.X.X.21 10.100.1.6 netmask 255.255.255.255
static (inside,outside) X.X.X.22 10.100.1.7 netmask 255.255.255.255
static (inside,outside) X.X.X.11 10.100.1.8 netmask 255.255.255.255
static (inside,outside) X.X.X.10 10.100.1.9 netmask 255.255.255.255

 

[Supergrrover]

Yes. What the first integer number tells the pix is what global range matches to what nat range to make it a global/nat pair. Statics override gloabl/nat. For what you have up you what statics everywhere you have a 255.255.255.255 for NAT.

Global/nat is for networks to access other networks/interfaces.
So this would make better sense -
global (outside) 1 x.x.x.10
nat (inside) 1 10.100.1.0 255.255.255.0
static (inside,outside) x.x.x.11 10.100.1.5 netmask 255.255.255.255

All of your 10.100.1.0/24 network will be nat overloaded to outside address x.x.x.10. You can access any port on 10.100.1.5 from the internet by going to x.x.x.11ort#



Brent
Systems Engineer / Consultant
CCNP, CCSP