Hi,

This is what I was thinking of doing:

Router:
interface Ethernet0
ip address xx.xx.xx.209 255.255.255.240

interface Dialer0
ip address negotiated (receives WAN static)

Firewall:

interface vlan2
nameif outside
security-level 0
ip address xx.xx.xx.210 255.255.255.240

interface vlan1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 100

global (outside) 1 interface
global (outside) 2 xx.xx.xx.11-xx.xx.xx.222 netmask 255.255.255.240
nat (inside) 1 0 0

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.209 1 (can this go in the
outside interface definition?)
access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any host
192.168.1.10 eq 25

static (inside,outside) xx.xx.xx.211 192.168.1.10 netmask
255.255.255.240

What I want to achieve with this is the following:

- All outgoing connections from anything on 192.168.1.0/24 is
presented to the outside on xx.xx.xx.209.
- I have some server on 192.168.1.10 which I want presenting to the
outside world on xx.xx.xx.211.
- I want people to connect to the IP address xx.xx.xx.211 on port 25
and they will be connected to this server.

Will this do it?

The other way I was looking at it was this:

global (outside) 1 interface
global (outside) 2 xx.xx.xx.211 255.255.255.240
nat (inside) 1 0 0
nat (inside) 2 access-list mail_server

access-list mail_server extended permit tcp any host
192.168.1.10 eq 25

I also have some IP addresses with no inbound connections, but I need
to ensure that they present on the outside using a specific IP
address.

Any help would be gratefully received.

Thanks.
Andrew.

I'm not sure what you mean by " All outgoing connections from anything on
192.168.1.0/24 is presented to the outside on xx.xx.xx.209."



Your config will route all traffic to xx.xx.xx.209, but will be presented as
xx.xx.xx.11-xx.xx.xx.222 then PAT'd xx.xx.xx.210. So based on the Static the
first 212 host will get a 1 to 1 nat then port level pat after that.



On the access list, you will want to specify the public ip as the
destination. It is applied before the NAT changes to the private address.
The second example may have unintended consequences.



I would use my recommendations and modify the first config. Also, the
second config shows 211 as the start of the NAT range where the first one
shows 11.



"Andrew Hodgson" <me3@privacy.net> wrote in message
news:mrli641kji06apc66a9uiqgg8krj1eb7j5@news.gigan ews.com...

On Mon, 30 Jun 2008 20:13:00 -0400, "PacketU" <usenet@packetu.com>
wrote:

Oops, that should have been xx.xx.xx.210. I.e, the firewall outside
interface.
Ok. I want to get rid of the NAT, so that we just have the PAT for
xx.xx.xx.210 for anything going outside other than a few IP addresses,
which will be natted to specific public IP addresses.

Ok, that makes a bit more sense. If I change:

to:

Then have this:

Will this work?

If so, will the following NAT commands be sufficient:

211 is the correct number - my bad again.

Thanks.
Andrew.