need a public IP to appear as private

tato386 · ‎05-30-2006

I need to telnet from the public Internet into a box that is sitting behind a PIX and is using a private IP address. I have already used NAT to translate an available public IP to the internal/private IP of this box. However, the problem is that this box does not have the routing setup to properly reply to clients connecting to it from a source IP from the public Internet. Is there a way that I can somehow make clients with public Internet address look like they are being sourced from a private address? In this way the box would be responding to a private IP instead of the true source which is not reachable.

Thanks,

Diego

scottmac · ‎05-30-2006

A VPN would work as you describe.

A static NAT should also work.

Post your config, I bet someone here can debug it for ya.

Good Luck

Scott

Nitin_Dewan07 · ‎05-30-2006

Hi,

If you want the clients connecting with public internet address look as if being sourced from private address consider Reverse NATTING or Outside NAT.

The box will be able to reply as if the request is coming from private addresses.

check this out:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

n c how outside nat works.

Hope this helps you out.

Fernando_Meza · ‎05-30-2006

Hi .. in order to do that. Apart form your static instruction you need to add an Outside NAT instruction

nat (outside) 5 access-list TEST outside

global (inside) 5 interface

access-list TEST permit tcp any host x.x.x.x eq telnet

the above instructions will cause the external hosts to appear as if it sourced by the inside interface of the PIX when connecting to Public IP x.x.x.x

Ihope it helps .. please rate it if it does !!!

tato386 · ‎06-05-2006

This certainly seems to be what I want to do and it jives with the documentation suggested in the previous post. However as soon as I apply the nat (outside) command it totally breaks all my outbound traffic that is being "natted inside". I thought that it might have to do with the ACL that I was using but even when I used a totally bogus ACL like:

access-list BOGUS permit tcp host 1.1.1.1 host 2.2.2.2 eq 999

it still broke my inside NAT. What's worse since I couldn't get outside anymore I couldn't even check if the outside NAT stuff was working. When I did a "show xlate" the xlate table looked OK but no traffic passed to inside hosts.

Any ideas?

Thanks,

Diego

dro · ‎08-16-2006

I'm running into this same problem of 'Outside NAT' breaking the 'Inside NAT'.

305011: Built dynamic UDP translation from inside:192.168.1.2/3738 to outside:10.61.147.123/1084

305005: No translation group found for udp src inside:192.168.1.2/3738 dst outside:10.61.147.109/53

305011: Built dynamic UDP translation from inside:192.168.1.2/3739 to outside:10.61.147.123/1085

305005: No translation group found for udp src inside:192.168.1.2/3739 dst outside:10.61.147.108/53

305011: Built dynamic UDP translation from inside:192.168.1.2/3740 to outside:10.61.147.123/1086

305005: No translation group found for udp src inside:192.168.1.2/3740 dst outside:10.61.147.108/53

I tried adding explicit hosts to my inside NAT table, but it still didn't help. All outbound traffic was blocked out.

Anyone care to comment? The config I used is as follows:

static (inside,outside) tcp interface 2222 192.168.1.100 22

access-list nat5 permit tcp any interface outside eq 2222

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (outside) 5 access-list nat5 outside

global (inside) 5 interface

global (outside) 1 interface

-Joshua

mheusinger · ‎05-31-2006

Hello,

The first information I would try to get is:

which networks are routed towards the PIX from the "telnet box" perspective. I wonder what prevents the box from accessing the internet? Is there no default gateway?

If no networks are routed towards the PIX, the box is inaccessible from the internet through this PIX. End of story.

If only a private network - f.e. 10.1.1.0/24 - is routed towards the PIX, you have the option of setting up a VPN to the PIX and assign an IP out of 10.1.1.0/24 to your VPN client. Or you setup source NAT, i.e. your internet IP should be translated to an IP out of 10.1.1.0/24 and in addition destination NAT, which you have already established as far as I understand.

Hope this helps! Please rate all posts.

Regards, Martin