U-Turning Bi-Directional NAT

Unanswered Question

I've been trying to make this work and have had no luck. I've got a 515E running 7.0(2) and attempted to use this command to allow hosts on my subnet to browse the website on ;

static (outside,inside)

It simply will not seem to work. Can anyone lend some assistance?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pstebner1 Wed, 06/13/2007 - 09:43
User Badges:


Which is your inside network? Is it the 172.x.x.x and the 69.x.x.x website is on the internet?

I'm not exactly sure what you are trying to do, but it looks like your static is backwards, and you cannot statically translate a /24 subnet to one ip address.

Perhaps a little more explanation?



acomiskey Wed, 06/13/2007 - 09:45
User Badges:
  • Green, 3000 points or more

I think he has something like this

static (inside,outside)

and he is trying to hit from a client 172.17.150.x on the inside.

Is this correct?

pstebner1 Wed, 06/13/2007 - 09:56
User Badges:

Yep, Mr. Comiskey is correct. That dns doctoring link should take care of you.



acomiskey Wed, 06/13/2007 - 10:20
User Badges:
  • Green, 3000 points or more

Are you sure you wrote it correctly, that should not have happened. I think you would want...

static (inside,inside)

You also need the same-security-traffic permit intra-interface etc.

Anyway, pay close attention to where it says...

"For versions earlier than 7.2(1), it is required that at least one arm of the hairpinned traffic (inbound or outbound) be encrypted. From 7.2(1) and later, this requirement is no longer in place. Both the traffic inbound and the traffic outbound might be unencrypted when you use 7.2(1)."

You will run into a problem here as you are running 7.0.

pstebner1 Wed, 06/13/2007 - 10:20
User Badges:

Don't forget to enable hairpinning by issuing the

same-security-traffic permit intra-interface

command first.



Thanks everyone for your responses.

The solution was provided by Sanjeev Pabbi;

same-security-traffic permit intra-interface

static (inside,outside) netmask

static (inside,inside) netmask

static (inside,inside) netmask


because request is initiated from inside the firewall so it hits the INSIDE interface then after the NAT translation Packets have to comeout of the same INSIDE interface towards your LAN, so first command allows packets to enter and leave from the same interface, its a global command.

Second command will allow you web Server with private IP as to appears as Public IP to oustside world ( Not inside users)

Assuming the Client on inside network with IP, when it try to access the web site by public IP - Third command translates the Web Server Public IP to Private IP.

Fourth command does the source translation converting the original Client IP to a fake non existing IP ( This step is very important, because without this Web server will receive the incoming packet but for return traffic it will try to go to Client IP directly because its in the same subnet and it never reaches there as it bypasses Firewall) So in the Web server logs it will appear as if request has come from NOT

acomiskey Thu, 06/14/2007 - 07:09
User Badges:
  • Green, 3000 points or more

Instead of the fourth one you could just do...

global (inside) 1 interface

nat (inside) 1 0 0

then you don't have to have a static statement for each client.


This Discussion