Destination NAT

Unanswered Question
Nov 7th, 2005
User Badges:

I have a setup as below;


10.0.0.0/24 ---inside (PIX) outside---172.16.1.0/24------(router)----remote network server 222.222.222.1:tcp80


Scenario 1) Can i perform destination nat for remote server 222.222.222.1 to 172.16.1.0/24 segment ip eg 172.16.1.3:tcp80, internal network user from 10.0.0.0/8 network will be PAT to 172.16.1.4 and user browse to remote server with ip 172.16.1.3:tcp80 instead of 222.222.222.1:tcp80.


Can this be achived using PIX 5.2 or later?



Scenario 2) Can i perform destination nat for remote server 222.222.222.1 to 172.16.2.0/24 segment ip eg 172.16.2.1:tcp80, internal network user from 10.0.0.0/8 network will be PAT to 172.16.2.2 and user browse to remote server with ip 172.16.2.1:tcp80 instead of 222.222.222.1:tcp80. There is not interface define for this 172.16.2.0 segment.


Can this be achived using PIX 5.2 or later?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
thomas.chen Fri, 11/11/2005 - 07:02
User Badges:
  • Silver, 250 points or more

I think it is not possible because the ip nat inside source static command can be used to hide the actual address of the inside server by using a static translation.

ssrjazz Wed, 11/16/2005 - 10:55
User Badges:

No.


What you -can- do is NAT 222.222.222.1 to a 10.0.0.0 address like 10.0.0.24


Since you are already doing outgoing NAT on your 10.x.x.x network the traffic arriving at 222.222.222.1 would appear to be coming from your 172.16.1.4 PATed address. We do this sort of thing to make an external agency's website (on one of our DMZ's) to appear to be on our internal LAN. Nice thing about this bi-directional NAT is that neither side's network needs to know about the other or how to route to it. The Pix does all the work.


We're doing this on v6.2 and 6.3


Actions

This Discussion