cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
289
Views
3
Helpful
1
Replies

Inbound NAT breaking existing connections

rodrigo_magno
Level 1
Level 1

Hi all,

I need to configure an inbound nat rule on a PIX firewall so that a network that comes in through a VPN on the outside interface translates to a dmz interface (PAT).

I have the configuration in place to setup all the translation rules without the bidirectional NAT rule in place and all is working, but when I had the bidirectional nat rules:

nat (outside) 10 10.10.10.0 255.255.255.0 outside

nat (outside) 0 0 0 outside

global (dmz) 10 interface

everything breaks, even another vpn that I have running on the inside interface.

I have searched for info on bidirectional nat but the documentation available is very slim and it doesn't clearly state exactly what changes when you use it.

Can anybody give some more insigth into this?

Thanks

Rodrigo Magno

1 Reply 1

smahbub
Level 6
Level 6

The nat outside option lets you enable or disable outside NAT, which translates the source address of a connection coming from a lower security interface to higher interface. This feature is also called bidirectional NAT.If you enable outside dynamic NAT on an interface, then you must configure explicit NAT policy for all hosts on the interface that need to initiate connections to inside networks. If you want to translate some hosts, but not others, then use identity NAT or NAT exemption (nat 0 or nat 0 access-list) to disable address translation for these additional hosts. The norandomseq and emb_limit options are not supported with outside NAT.

Use the following url to get more info about configuring outside(bidirectional) NAT on PIX:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f31a.shtml#s11

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: