Reverse NAT on PIX

Unanswered Question
Jan 19th, 2008
User Badges:

Hi,


My outside network is: 10.x.y.0/24

My inside network is: 192.168.a.0/24.

The packet comes from: 172.30.b.192/29


I need port forwarding or redirecting to my inside ssh machine and I don't like seeing host route to 172.30.b.ccc over inside if. of PIX.

I tried one-to-one NAT from outside to inside but my ssh machine doesn't know anything about the MAC of NATed interface of PIX (arp who <192.168.a.d> tell ...)


What is the solution? PIX hate "static (outside,inside) <internal_IP> <my_subnet> netmask 255.255.255.240" command which is acceptable. It isn't a one-to-one relation, of course.

So what is the solution?


TIA,

Ruzsi

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Sat, 01/19/2008 - 19:22
User Badges:
  • Silver, 250 points or more

solution is policy nat


CCIE Security

aruzsinszky Tue, 01/22/2008 - 10:23
User Badges:

Can you give me a little bit more information.

I checked policy NAT example on Cisco webpage but I don't see how will it solve my problem. :-(


TIA.

Ruzsi

alanajjar Wed, 01/23/2008 - 06:19
User Badges:

Hi,

To permit access to internal server on the inside network from outside machines, you need to define :

1- access list

2- static nat


for the access list, permit trafic from the externel host to the outside interface, and speify the port number, for this case ssh port =22

for the static nat, permit traffic from outside interface to the inside server, on the specified port number.

for your case, the access list will be

access-list out_in permit tcp 172.30.b.192 255.255.255.248 interface outside eq 22


and the static nat will be

static(inside,outside) tcp interface 22 192.168.1.1 22

where 192.168.1.1 is the inside ssh server.

regards

aruzsinszky Wed, 01/23/2008 - 08:35
User Badges:

Hi,


I solved my problem (it seems good with one IP translate now and I'll extend for the whole IP subnet what we use):


access-list acl_out remark Default rule - From Internet to Linux_ssh_server SSH port

access-list acl_out permit tcp OUTSIDE_VPN_Inet 255.255.255.240 interface outside eq ssh log


global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface ssh ssh netmask 255.255.255.255 0 0

static (outside,inside) netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside


and proxyarp is switched on!


What's your opinion?


TIA,

Ruzsi

Actions

This Discussion