01-19-2008 12:05 PM - edited 03-11-2019 04:50 AM
Hi,
My outside network is: 10.x.y.0/24
My inside network is: 192.168.a.0/24.
The packet comes from: 172.30.b.192/29
I need port forwarding or redirecting to my inside ssh machine and I don't like seeing host route to 172.30.b.ccc over inside if. of PIX.
I tried one-to-one NAT from outside to inside but my ssh machine doesn't know anything about the MAC of NATed interface of PIX (arp who <192.168.a.d> tell ...)
What is the solution? PIX hate "static (outside,inside) <internal_IP> <my_subnet> netmask 255.255.255.240" command which is acceptable. It isn't a one-to-one relation, of course.
So what is the solution?
TIA,
Ruzsi
01-19-2008 07:22 PM
solution is policy nat
CCIE Security
01-22-2008 10:23 AM
Can you give me a little bit more information.
I checked policy NAT example on Cisco webpage but I don't see how will it solve my problem. :-(
TIA.
Ruzsi
01-23-2008 06:19 AM
Hi,
To permit access to internal server on the inside network from outside machines, you need to define :
1- access list
2- static nat
for the access list, permit trafic from the externel host to the outside interface, and speify the port number, for this case ssh port =22
for the static nat, permit traffic from outside interface to the inside server, on the specified port number.
for your case, the access list will be
access-list out_in permit tcp 172.30.b.192 255.255.255.248 interface outside eq 22
and the static nat will be
static(inside,outside) tcp interface 22 192.168.1.1 22
where 192.168.1.1 is the inside ssh server.
regards
01-23-2008 08:35 AM
Hi,
I solved my problem (it seems good with one IP translate now and I'll extend for the whole IP subnet what we use):
access-list acl_out remark Default rule - From Internet to Linux_ssh_server SSH port
access-list acl_out permit tcp OUTSIDE_VPN_Inet 255.255.255.240 interface outside eq ssh log
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ssh
static (outside,inside)
access-group acl_out in interface outside
access-group acl_in in interface inside
and proxyarp is switched on!
What's your opinion?
TIA,
Ruzsi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide