NAT Trouble

Unanswered Question
Nov 28th, 2007

Hi, I want to ask to more experimented network admisnitrators about a problem that I am experimenting and I don't know how to solve:

I have a PIX 515E running 6.3(4) IOS and there are 2 networks configured on it:

Outside 192.168.0.0 /24 (security level 0) and Inside 172.21.0.0 /24 (security level 100).

I used without problems the Static command for mappings from Outside to Inside, using a "virtual IP" in the Outside interface for accesing a host located on the Inside LAN.

Now I need to do the same but in the other direction. I need to use a "virtual IP" in the Inside interface for accessing a host located on the Outside network.

IE:

192.168.0.5 --> NAT --> 172.21.0.5 Works O.K.

172.21.0.10 --> NAT --> 192.168.0.10 I need this mapping

Is it possible to do this running this version of IOS? How can I make this NAT mapping work? I tried a lot of things but no one worked, and I don't know where to find more information about this.

Thank you all for your time, and please excuse my very poor english.

Alejandro.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Wed, 11/28/2007 - 09:25

If I understand you correctly you probably have something like this...

static (inside,outside) 192.168.0.5 172.21.0.5 netmask 255.255.255.255

To do a destination nat in the other direction it should be something like this...

static (outside,inside) 172.21.0.10 192.168.0.10 netmask 255.255.255.255

m47r1x_mdma Mon, 12/03/2007 - 07:26

I tried this but did't work. The command is accepted, but the connection to the host can't be established.

The commands I charged were:

static (outside,inside) 172.21.0.10 192.168.0.10 netmask 255.255.255.255

access-list INSIDE permit tcp any host 172.21.0.10 eq www

access-group INSIDE in interface inside

Am I making something wrong or it's not supported by my IOS version or firewall?

Thank you for your help!!!

Ale.

srue Mon, 12/03/2007 - 11:54

are there other entries in the ACL INSIDE?

what is the output of "show access-list INSIDE"?

are you trying to connect to 172.21.0.10 from an inside host?

have you verified www services are running on 192.168.0.10?

can you ping 192.168.0.10 from the pix?

Actions

This Discussion