11-28-2007 09:21 AM - edited 03-11-2019 04:36 AM
Hi, I want to ask to more experimented network admisnitrators about a problem that I am experimenting and I don't know how to solve:
I have a PIX 515E running 6.3(4) IOS and there are 2 networks configured on it:
Outside 192.168.0.0 /24 (security level 0) and Inside 172.21.0.0 /24 (security level 100).
I used without problems the Static command for mappings from Outside to Inside, using a "virtual IP" in the Outside interface for accesing a host located on the Inside LAN.
Now I need to do the same but in the other direction. I need to use a "virtual IP" in the Inside interface for accessing a host located on the Outside network.
IE:
192.168.0.5 --> NAT --> 172.21.0.5 Works O.K.
172.21.0.10 --> NAT --> 192.168.0.10 I need this mapping
Is it possible to do this running this version of IOS? How can I make this NAT mapping work? I tried a lot of things but no one worked, and I don't know where to find more information about this.
Thank you all for your time, and please excuse my very poor english.
Alejandro.
11-28-2007 09:25 AM
If I understand you correctly you probably have something like this...
static (inside,outside) 192.168.0.5 172.21.0.5 netmask 255.255.255.255
To do a destination nat in the other direction it should be something like this...
static (outside,inside) 172.21.0.10 192.168.0.10 netmask 255.255.255.255
12-03-2007 07:26 AM
I tried this but did't work. The command is accepted, but the connection to the host can't be established.
The commands I charged were:
static (outside,inside) 172.21.0.10 192.168.0.10 netmask 255.255.255.255
access-list INSIDE permit tcp any host 172.21.0.10 eq www
access-group INSIDE in interface inside
Am I making something wrong or it's not supported by my IOS version or firewall?
Thank you for your help!!!
Ale.
12-03-2007 11:54 AM
are there other entries in the ACL INSIDE?
what is the output of "show access-list INSIDE"?
are you trying to connect to 172.21.0.10 from an inside host?
have you verified www services are running on 192.168.0.10?
can you ping 192.168.0.10 from the pix?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: