Any help is appreciated.
(1) Equipment: PIX515
(2) Connection scenario:
Far side WAN 10.1.2.61, PIX outside: 10.1.2.62. However, all incoming IPs from the other end are: 10.100.100.x/24
(3) Need to map incoming 10.100.100.x to internal 172.30.1.x,. For example: client on the other end will connect to 10.100.100.1. On the PIX, I need to translate 10.100.100.1 to 172.30.1.1.
Is this doable?
I've tried to do this on the PIX:
(a) outside interface IP: 10.1.2.62
(b) access-list: permit 10.100.100.0./24 to 172.30.1.0/24
(c) static (inside, outside) 10.100.100.1 to 172.30.1.1
To recap: what I want to accomplish is this:
I am handed th WAN IP address(10.1.2.61) and a range of other IPs for incoming(10.100.100.x). This range of IPs (10.100.100.x) need to be mapped one to one to the inetrnal IPs to established connection. And no, I can't have a range IPs that can be assigned to the outside interface directly.
Can this be done at all?
Let's see if I understand:
From the PIX perspective:
Inside network is 172.30.1.x
Outside IP is 10.1.2.62
You need to translate connections pointing to 10.100.100.x to 172.30.1.x
static (in,out) 10.100.100.1 172.30.1.1.
access-list 101 permit ip any 10.100.100.0 255.255.255.0
access-group 101 in interface outside
The above will work if the destination address of the incoming requests are 10.100.100.x and you
just want to NAT those address to your internal 172.30.1.x
There should be a route on the next-hop on the outside of the ASA to route 10.100.100.x to the ASA
Now, if I understand correctly the 10.100.100.x is the destination range correct?
Or is the source range from where the packets will be coming from?
From the Pix:outside IP is: 10.1.2.62, inside IP is: 192.168.1.1. The network 172.30.1.x can be reached via another router.
Client will come from IPs: 10.90.90.x. They will connect to 10.100.100.x addresses.
Example: client (10.90.90.1) initial connection via web broswer, addr: 10.100.100.1. Once the packet reaches the PIX, 10.100.100.1 will need to be translated to 172.30.1.1 and be routed further inside the network (the routes within the network all works fine, I am sure of that).
For incoming: 10.100.100.1 -> 172.30.1.1
10.100.100.2 -> 172.30.1.2, so forth and so on.
Once I have the static statement and accessl-list, do I still need to have other statement(s)?
From my original post, after doing what I described, clients sometimes can connect and sometime there's no reponse. I am thinking either:
(1) it won't work at all since the pix outside interface is on 10.1.2.61 and can't listen on 10.100.100.x (or the access-list permit statment takes care of that?)
(2) Othe than the access-list, static statement, I may be missing others.
Can you tell me what's the behavior in this case on the way back to the client since I don't have any other statement, other than:
global (outside) 1 10.1.2.62 (the outside interface) and I don't have any NAT statement.
Thank you. Appreciate it.
P.S. I wish I have a copy of the config with me at home but I don't.
nat (outside) 2 10.100.100.0 255.255.255.0 outside
global (inside) 2 172.30.1.1
will PAT all the 10.100.100.x addresses to 172.30.1.1 on the inside of your pix.
If you want to do 1-1 mappings -
static (outside,inside) 172.30.1.1 10.100.100.1 netmask 255.255.255.255
but you will need to setup a static for each 10.100.100.x address you want to translate and you will need a different 172.30.1.x address for each static translation.
Is this what you want ?
If you have a static NAT like this:
static (inside, outside) 10.100.100.1 to 172.30.1.1
Then incoming and outgoing traffic will be translated between 172.30.1.1 and 10.100.100.1
You don't need an additional NAT statement for outgoing traffic.
The issue here, is that the PIX outside is not on the 10.100.100.x range.
But this can be solve if having an appropiate route pointing to the outside of the PIX to 10.100.100.x
If you say that sometimes work, I assume the configuration is fine.
What's exactly the problem that you're having? That sometimes the clients won't connect?
From what you explained, it should work but the behavior is that the web app. we are running internally some time works perfectly and some time clients get reponses from the broiwser as connection not found or some sort (sorry don't remember exactly, but the standard IE reponse). The happens across the board so not client machine specific.
If I just do port forward only, it woks perfectly but than I can only reach one server. Clients need to reach quite a few internal servers. So, port forward is out.
You can try this, I use something similiar for site to site overlap, but it should work for this case as well:
access-list policy-nat-10.100.100.x ext permit ip 172.30.1.0 255.255.255.0 10.90.90.0 255.255.255.0
static (inside,outside) 10.100.100.0 access-list policy-nat-10.100.100.x
As others have mentioned, you'll still need to permit http access to 10.100.100.0 255.255.255.0 to permit the traffic inbound.