cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
400
Views
0
Helpful
2
Replies

Outside NAT

d-g-c
Level 1
Level 1

Not sure if I'm missing the obvious here (like this isn't possible) but I need to provide Internet access to users on a PIX (6.3(3)) outside interface, the PIX is on a remote network, Internet access is via our private WAN then out through a central firewall to the Internet, so the inside interface is on our private network, the DMZ is on the outside interface. I need to use outside nat to allow hosts on the DMZ to access the net but restrict them with ACL's from being able to see our Internal network.

There are many CISCO references to the new outside nat feature but I can't see any documented examples of what I'm trying to do.

Here's what I think I need to do

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list inside_access_in permit ip any any

access-list outside_access_in permit ip any any

access-list NAT-Outside-Policy permit tcp any any

access-list NAT-Outside-Policy permit udp any any

ip address outside 192.168.1.1 255.255.255.0

ip address inside 192.168.0.1 255.255.252.0

global (outside) 1 interface

global (inside) 1 interface

nat (outside) 1 access-list NAT-Outside-Policy outside 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

My outside host address is 192.168.1.100 and has 192.168.1.1 as it's default gateway. When I try and make a connection through the PIX from this host I can see an xlate created

305011: Built dynamic UDP translation from outside:192.168.1.100/137 to inside(NAT-Outside-Policy):192.168.0.1/57

But then I see

305005: No translation group found for udp src outside:192.168.1.100/137 dst inside:xxx.xxx.xxx.xxx/137

Where xxx is an inside host.

If I take the nat (outside) command out I can communicate from inside to outside ok. If I use static nat I can create static connections from outside to an inside host, but I need to be able to connect to any inside host from the outside. A simple solution would be to connect the inside interface to my "outside" network, but this would mean connecting the inside interface to an untrusted network.

Any comments would be appreciated.

2 Replies 2

nkhawaja
Cisco Employee
Cisco Employee

Hi,

I didnt go completely through your notes, but, first of all what you are trying to do is possible.

Secondly you might need to try out the nat (outside) with the "outside" keyword

nat (outside) 1 access-list NAT-Outside-Policy outside 0 0 outside

Thanks

Nadeem

I am using the "outside" keyword :

nat (outside) 1 access-list NAT-Outside-Policy outside 0 0

I don't think the command line with the two "outside" keywords in it that you quoted is valid:

nat (outside) 1 access-list NAT-Outside-Policy outside 0 0 outside

Thanks

Peter.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: