Help with NAT

Unanswered Question
Oct 27th, 2006
User Badges:

I do not have external IP to advertise, would like to use outside int IP as an advertized IP towards the Internet. Is following sufficient for that?


nat (inside) 1 0.0.0.0 0.0.0.0 0 0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (2 ratings)
Loading.
hareskhan Fri, 10/27/2006 - 13:01
User Badges:

No, you will also need a

"global (outside) 1 interface" command.


Hares

prerak_patel Fri, 10/27/2006 - 13:53
User Badges:

OK I have this basic config. When I ping from internal LAN PC yahoo.com IP, I see request and response on PIX debug but pings are not getting back to PC. Also from outside can't access my web server. However from inside I can get all web sites.


global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sundar.palaniappan Fri, 10/27/2006 - 15:29
User Badges:
  • Green, 3000 points or more

Traffic from lower security (outside) interface to higher security (inside) interface has to be explicitly allowed using an ACL. To be able to ping hosts on the Internet from the inside network you need to permit icmp echo-replies on the ACL applied on the outside interface. If there's no ACL applied on the outside int then you need to create an ACL and allow icmp echo-replies to come in. Moreover, configure the outside ACL needs to permit http traffic to your web server.


To access you web server from the outside you need a static NAT as well - to map global to local IP of the server.


The link below has a configuration example that you may find helpful.


http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094ea2.shtml#configs



HTH


Sundar

prerak_patel Mon, 10/30/2006 - 12:32
User Badges:

Hi Sunder,

What I need to do is verify IP connectivity tro' PIX. So I want to pass thro' all the traffic IN and OUT of PIX. I believe following should take care of it, please confirm.


global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list from_inside permit any any

access-list from_outside permit any any


I am using external INT IP for PATTING towards the Internet. I am not sure why do I need static map for the web server.

sundar.palaniappan Wed, 11/01/2006 - 11:54
User Badges:
  • Green, 3000 points or more

Yes, it should work but you need to add a couple of things. I am sure you know the access-list needs to be applied to the respective interfaces using the access-group command. For the web server on the inside, you would need to configure a static statement.


HTH


Sundar

Actions

This Discussion