Nat in PIX

Unanswered Question
Feb 19th, 2009

global (outside) 10 172.20.20.15 netmask 255.255.255.255

nat (inside) 10 10.32.0.0 255.252.0.0

This is the Configuration of PIX. My question is, If any traffic is comming from outside, on which IP it will translated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JamesLuther Thu, 02/19/2009 - 02:08

Hi,

Traffic from the outside to inside won't be translated.

The above configuration will translate traffic coming from the inside network 10.32.0.0 behind the outside IP 172.20.20.15.

jholding09 Thu, 02/19/2009 - 05:26

Is there ever an instance where Outside traffic would get translated going into a firewall etc?

Jon Marshall Thu, 02/19/2009 - 05:50

Yes, if you set up a static translation rather than a dynamic translation ie.

static (inside,outside) 172.20.20.1 192.168.100.1 netmask 255.255.255.255

if the internal host 192.168.1.100 connects to a server on the outside the source address is translated to 172.20.20.1.

If an external PC tries to connect to 172.20.20.1 it will be translated by the pix to 192.168.1.100.

Static translations allow traffic to be initiated from both directions.

Jon

Jon Marshall Thu, 02/19/2009 - 02:19

Rupesh

James is correct in what he says. More specifically any traffic that is initiated from the outside will not be translated with the above configuration.

Traffic that is part of a connection that was initiated from the inside will be translated back to the original 10.32.0.0 address.

So if you go to a web page on the internet from 10.32.1.1 then as the traffic goes through the pix the source IP address will be translated to 172.20.20.15. When the web server sends a packet back the destination address is 172.20.20.15. When it arrives at the pix the firewall then translates the destination IP address back to 10.32.1.1.

Jon

Rupesh Kashyap Thu, 02/19/2009 - 19:38

It means, I am taking Example of Router, then any traffic initiated from Outside will not be natted with below command.

"ip nat inside source list 15 interface Serial0/1/0:0 overload"

Actions

This Discussion