Reverse NAT on PIX

Unanswered Question
Jan 19th, 2008
User Badges:


My outside network is: 10.x.y.0/24

My inside network is: 192.168.a.0/24.

The packet comes from: 172.30.b.192/29

I need port forwarding or redirecting to my inside ssh machine and I don't like seeing host route to 172.30.b.ccc over inside if. of PIX.

I tried one-to-one NAT from outside to inside but my ssh machine doesn't know anything about the MAC of NATed interface of PIX (arp who <192.168.a.d> tell ...)

What is the solution? PIX hate "static (outside,inside) <internal_IP> <my_subnet> netmask" command which is acceptable. It isn't a one-to-one relation, of course.

So what is the solution?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cisco24x7 Sat, 01/19/2008 - 19:22
User Badges:
  • Silver, 250 points or more

solution is policy nat

CCIE Security

aruzsinszky Tue, 01/22/2008 - 10:23
User Badges:

Can you give me a little bit more information.

I checked policy NAT example on Cisco webpage but I don't see how will it solve my problem. :-(



alanajjar Wed, 01/23/2008 - 06:19
User Badges:


To permit access to internal server on the inside network from outside machines, you need to define :

1- access list

2- static nat

for the access list, permit trafic from the externel host to the outside interface, and speify the port number, for this case ssh port =22

for the static nat, permit traffic from outside interface to the inside server, on the specified port number.

for your case, the access list will be

access-list out_in permit tcp 172.30.b.192 interface outside eq 22

and the static nat will be

static(inside,outside) tcp interface 22 22

where is the inside ssh server.


aruzsinszky Wed, 01/23/2008 - 08:35
User Badges:


I solved my problem (it seems good with one IP translate now and I'll extend for the whole IP subnet what we use):

access-list acl_out remark Default rule - From Internet to Linux_ssh_server SSH port

access-list acl_out permit tcp OUTSIDE_VPN_Inet interface outside eq ssh log

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0 0

static (inside,outside) tcp interface ssh ssh netmask 0 0

static (outside,inside) netmask 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

and proxyarp is switched on!

What's your opinion?




This Discussion