In article , Cen wrote: :I would like to do the following: :I have 2 inside hosts, 10.1.1.1 and 10.1.1.2. :On the outside interface, for external hosts, these 2 addresses are servers :that are translated as, say, 203.23.23.23 and 203.23.23.24 respectively. :But I have also a private host 10.3.3.3 on the outside interface which need :to reach 10.1.1.1 and 10.1.1.2 untranslated.
:Is this the way I go about doing it:
:access-list bypass permit icmp host 10.1.1.1 host 10.3.3.3 :access-list bypass permit icmp host 10.1.1.2 host 10.3.3.3 :nat (inside) 0 access-list bypass :static (inside,outside) 203.23.23.23 10.1.1.1 netmask 255.255.255.255 :static (inside,outside) 203.23.23.24 10.1.1.2 netmask 255.255.255.255
Not if you are using an IOS router ;-)
If you are using a PIX with 6.x software as is implied by the above commands, then what you have is generally speaking a good approach.
It can, though, fall down in that the PIX never proxy-arp's for an IP which is mat 0 access-list'd. If the outside device can have its routing table adjusted, then you can configure the outside device to route to 10.1.1.x via the PIX's outside IP. But then you run into the possibility that there is no outside router with a presence in both 10.3.3.x and 203.23.23.x ...
An alternate approach, starting in PIX 6.3, is to use "policy static". That's a static with an access-list attached. You'll have to read the examples in the reference manual several times to figure out how to get it to work right, as there is important information missing in the documentation [which will especially beguile you if you are trying to work with a subnet instead of individual hosts.]