01-19-2008 12:05 PM - edited 03-11-2019 04:50 AM
Hi,
My outside network is: 10.x.y.0/24
My inside network is: 192.168.a.0/24.
The packet comes from: 172.30.b.192/29
I need port forwarding or redirecting to my inside ssh machine and I don't like seeing host route to 172.30.b.ccc over inside if. of PIX.
I tried one-to-one NAT from outside to inside but my ssh machine doesn't know anything about the MAC of NATed interface of PIX (arp who <192.168.a.d> tell ...)
What is the solution? PIX hate "static (outside,inside) <internal_IP> <my_subnet> netmask 255.255.255.240" command which is acceptable. It isn't a one-to-one relation, of course.
So what is the solution?
TIA,
Ruzsi
01-19-2008 07:22 PM
solution is policy nat
CCIE Security
01-22-2008 10:23 AM
Can you give me a little bit more information.
I checked policy NAT example on Cisco webpage but I don't see how will it solve my problem. :-(
TIA.
Ruzsi
01-23-2008 06:19 AM
Hi,
To permit access to internal server on the inside network from outside machines, you need to define :
1- access list
2- static nat
for the access list, permit trafic from the externel host to the outside interface, and speify the port number, for this case ssh port =22
for the static nat, permit traffic from outside interface to the inside server, on the specified port number.
for your case, the access list will be
access-list out_in permit tcp 172.30.b.192 255.255.255.248 interface outside eq 22
and the static nat will be
static(inside,outside) tcp interface 22 192.168.1.1 22
where 192.168.1.1 is the inside ssh server.
regards
01-23-2008 08:35 AM
Hi,
I solved my problem (it seems good with one IP translate now and I'll extend for the whole IP subnet what we use):
access-list acl_out remark Default rule - From Internet to Linux_ssh_server SSH port
access-list acl_out permit tcp OUTSIDE_VPN_Inet 255.255.255.240 interface outside eq ssh log
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ssh
static (outside,inside)
access-group acl_out in interface outside
access-group acl_in in interface inside
and proxyarp is switched on!
What's your opinion?
TIA,
Ruzsi
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: