cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
369
Views
0
Helpful
3
Replies

NAT Trouble

m47r1x_mdma
Level 1
Level 1

Hi, I want to ask to more experimented network admisnitrators about a problem that I am experimenting and I don't know how to solve:

I have a PIX 515E running 6.3(4) IOS and there are 2 networks configured on it:

Outside 192.168.0.0 /24 (security level 0) and Inside 172.21.0.0 /24 (security level 100).

I used without problems the Static command for mappings from Outside to Inside, using a "virtual IP" in the Outside interface for accesing a host located on the Inside LAN.

Now I need to do the same but in the other direction. I need to use a "virtual IP" in the Inside interface for accessing a host located on the Outside network.

IE:

192.168.0.5 --> NAT --> 172.21.0.5 Works O.K.

172.21.0.10 --> NAT --> 192.168.0.10 I need this mapping

Is it possible to do this running this version of IOS? How can I make this NAT mapping work? I tried a lot of things but no one worked, and I don't know where to find more information about this.

Thank you all for your time, and please excuse my very poor english.

Alejandro.

3 Replies 3

acomiskey
Level 10
Level 10

If I understand you correctly you probably have something like this...

static (inside,outside) 192.168.0.5 172.21.0.5 netmask 255.255.255.255

To do a destination nat in the other direction it should be something like this...

static (outside,inside) 172.21.0.10 192.168.0.10 netmask 255.255.255.255

I tried this but did't work. The command is accepted, but the connection to the host can't be established.

The commands I charged were:

static (outside,inside) 172.21.0.10 192.168.0.10 netmask 255.255.255.255

access-list INSIDE permit tcp any host 172.21.0.10 eq www

access-group INSIDE in interface inside

Am I making something wrong or it's not supported by my IOS version or firewall?

Thank you for your help!!!

Ale.

are there other entries in the ACL INSIDE?

what is the output of "show access-list INSIDE"?

are you trying to connect to 172.21.0.10 from an inside host?

have you verified www services are running on 192.168.0.10?

can you ping 192.168.0.10 from the pix?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: