Not sure if I'm missing the obvious here (like this isn't possible) but I need to provide Internet access to users on a PIX (6.3(3)) outside interface, the PIX is on a remote network, Internet access is via our private WAN then out through a central firewall to the Internet, so the inside interface is on our private network, the DMZ is on the outside interface. I need to use outside nat to allow hosts on the DMZ to access the net but restrict them with ACL's from being able to see our Internal network.
There are many CISCO references to the new outside nat feature but I can't see any documented examples of what I'm trying to do.
Here's what I think I need to do
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list inside_access_in permit ip any any
access-list outside_access_in permit ip any any
access-list NAT-Outside-Policy permit tcp any any
access-list NAT-Outside-Policy permit udp any any
ip address outside 192.168.1.1 255.255.255.0
ip address inside 192.168.0.1 255.255.252.0
global (outside) 1 interface
global (inside) 1 interface
nat (outside) 1 access-list NAT-Outside-Policy outside 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
My outside host address is 192.168.1.100 and has 192.168.1.1 as it's default gateway. When I try and make a connection through the PIX from this host I can see an xlate created
305011: Built dynamic UDP translation from outside:192.168.1.100/137 to inside(NAT-Outside-Policy):192.168.0.1/57
But then I see
305005: No translation group found for udp src outside:192.168.1.100/137 dst inside:xxx.xxx.xxx.xxx/137
Where xxx is an inside host.
If I take the nat (outside) command out I can communicate from inside to outside ok. If I use static nat I can create static connections from outside to an inside host, but I need to be able to connect to any inside host from the outside. A simple solution would be to connect the inside interface to my "outside" network, but this would mean connecting the inside interface to an untrusted network.
Any comments would be appreciated.