Outside NAT

Unanswered Question
Dec 3rd, 2003
User Badges:

Not sure if I'm missing the obvious here (like this isn't possible) but I need to provide Internet access to users on a PIX (6.3(3)) outside interface, the PIX is on a remote network, Internet access is via our private WAN then out through a central firewall to the Internet, so the inside interface is on our private network, the DMZ is on the outside interface. I need to use outside nat to allow hosts on the DMZ to access the net but restrict them with ACL's from being able to see our Internal network.


There are many CISCO references to the new outside nat feature but I can't see any documented examples of what I'm trying to do.


Here's what I think I need to do


interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list inside_access_in permit ip any any

access-list outside_access_in permit ip any any

access-list NAT-Outside-Policy permit tcp any any

access-list NAT-Outside-Policy permit udp any any

ip address outside 192.168.1.1 255.255.255.0

ip address inside 192.168.0.1 255.255.252.0

global (outside) 1 interface

global (inside) 1 interface

nat (outside) 1 access-list NAT-Outside-Policy outside 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside



My outside host address is 192.168.1.100 and has 192.168.1.1 as it's default gateway. When I try and make a connection through the PIX from this host I can see an xlate created


305011: Built dynamic UDP translation from outside:192.168.1.100/137 to inside(NAT-Outside-Policy):192.168.0.1/57


But then I see


305005: No translation group found for udp src outside:192.168.1.100/137 dst inside:xxx.xxx.xxx.xxx/137


Where xxx is an inside host.


If I take the nat (outside) command out I can communicate from inside to outside ok. If I use static nat I can create static connections from outside to an inside host, but I need to be able to connect to any inside host from the outside. A simple solution would be to connect the inside interface to my "outside" network, but this would mean connecting the inside interface to an untrusted network.


Any comments would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nkhawaja Sun, 12/07/2003 - 18:14
User Badges:
  • Cisco Employee,

Hi,


I didnt go completely through your notes, but, first of all what you are trying to do is possible.

Secondly you might need to try out the nat (outside) with the "outside" keyword


nat (outside) 1 access-list NAT-Outside-Policy outside 0 0 outside


Thanks

Nadeem


d-g-c Mon, 12/08/2003 - 09:00
User Badges:

I am using the "outside" keyword :


nat (outside) 1 access-list NAT-Outside-Policy outside 0 0


I don't think the command line with the two "outside" keywords in it that you quoted is valid:



nat (outside) 1 access-list NAT-Outside-Policy outside 0 0 outside


Thanks



Peter.


Actions

This Discussion