08-22-2007 04:21 AM - edited 02-21-2020 01:39 AM
Hi guys i am a bit confused, please help me ..
RTR2----(Outside)ASA(Inside)----Rtr1
the outside n/w range is 192.168.1.0/24 with Rtr2 having .2 and ASA having .1
the inside n/w range is 192.168.2.0 with asa having .1 and Rtr1 hving .2
now i want to perform dynamic outside nat for Rtr2.
nat (outside) 1 192.168.1.0 255.255.255.0
global (inside) 1 interface
or
nat (outside) 1 192.168.1.0 255.255.255.0 outside
global (inside) 1 interface
-------
i knw that outside keyword is used for outside nat , and when i try to configure
nat command on outside intf, it gives me a warning also..but it takes the command.
my doubt is why outside nat doesnt works with outside keyword.I hope you guys got my doubt..
08-22-2007 04:56 AM
You are correct, this is the correct way to do it.
nat (outside) 1 192.168.1.0 255.255.255.0 outside
global (inside) 1 interface
If it is not working, check the access-list applied to the outside interface, and show xlate to confirm if you have any other existing xlates.
Pleas post the complete sanitized config if this does not help.
08-22-2007 06:07 AM
Hi thanks for you reply matti..actually what i wanted to know is that why is it so that why only when we apply "outside " keyword then only it works.. bcz with out that also when say
nat (outside) 1 192.168.1.0 255.255.255.0
it means nat for the source ip address 192.168.1.0/24 to a different ip address.
08-22-2007 06:25 AM
The outside keyword will allow the connections to initiate from an interface with a lower security level.
08-22-2007 06:29 AM
ohh ..thanks...i got it...this means when i want to configure the same thing from my DMZ--to--inside.
then i have to apply
nat (dmz) 1 0 0 outside..
08-22-2007 06:41 AM
Correct.
The outside keyword represent any outer (less secure) interface, not the actual outside.
08-22-2007 06:43 AM
thanks for clearing my concept...
08-22-2007 07:52 AM
Hi matti . i have the following setup
host---(inside)Pix(Outside)---Rtr
host ip address 10.0.0.10
Pix Inside 10.0.0.1
Pix Outside 172.31.0.1
Rtr IP add:172.31.0.2(Rtr having a deault route to pix)
i tried to configure outside nat, but its not working.
hostname Firewall
enable password xxx encrypted
names
interface Ethernet0
speed 100
nameif outside
security-level 0
ip address 172.31.0.1 255.255.255.0
!
interface Ethernet1
speed 100
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
passwd xxx
ftp mode passive
access-list outside extended permit ip any any
pager lines 24
logging enable
icmp unreachable rate-limit 1 burst-size 1
nat-control
global (inside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0 outside
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside in interface outside
telnet timeout 5
ssh timeout 5
console timeout 0
----
i see the following messages
%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2253 to in
side:10.0.0.1/30
%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in
side:Insrv (type 8, code 0)
%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2254 to in
side:10.0.0.1/31
%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in
side:Insrv (type 8, code 0)
%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2255 to in
side:10.0.0.1/32
%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in
side:Insrv (type 8, code 0)
%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2256 to in
side:10.0.0.1/33
%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in
side:Insrv (type 8, code 0)
%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2257 to in
side:10.0.0.1/34
%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in
side:Insrv (type 8, code 0)
--------------
show xlate output
PAT Global 10.0.0.1(36) Local 172.31.0.2 ICMP id 5850
PAT Global 10.0.0.1(35) Local 172.31.0.2 ICMP id 5849
08-22-2007 08:00 AM
Now you are only translating the source address of the outside host, NAT for the destination address also has to be configured. You want to reach the inside host by its real address? Then you need to do this:
static (inside,outside) 10.0.0.10 10.0.0.10 netmask 255.255.255.255
08-22-2007 08:07 AM
yeah got it.. but can i use dynamic nat .. in these cases instead of using static nat.
08-22-2007 08:50 AM
You can use the nat(0) to disable nat:
access-list 103 permit ip 10.0.0.0 255.255.255.0 any
nat (inside) 0 access-list 103
You can tune that acl to only allow some traffic if you want to.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: