Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Bi-directional NAT

Hi all,

I read on the 6.22 release notes that the bi-directional NAT is implemented on a PIX Firewall, does anybody try it? This is my test but it doesn't run, can you help me?

LAN inside 10.0.0.0/16

LAN outside 20.0.0.0/16

inside outside

| PC | -----------------| PIX | -----------------| PC |

10.0.0.2 10.0.0.1 20.0.0.1 20.0.0.2

nat (outside) 1 20.0.0.2 255.255.255.255 0 0

global (inside) 1 10.0.0.3

access-list acl_in permit ip any any

access-list acl_in permit icmp any any

access-group acl_in in interface inside

access-list acl_out permit icmp any any

access-list acl_out permit ip any any

access-group acl_out in interface outside

Marco

4 REPLIES

Re: Bi-directional NAT

New Member

Re: Bi-directional NAT

Marco,

I believe you still need to translate your inside address using NAT or a static translation. You would probably want a static translation such as:

static (inside,outside) 10.0.0.2 10.0.0.2 netmask 255.255.255.255

See http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#trust for more information.

Cisco Employee

Re: Bi-directional NAT

You don't need the static, although you could use one to do this also, but it would be in teh reverse direction as follows:

static (outside,inside) 10.0.0.3 20.0.0.2 netmask 255.255.255.255 0 0

If you want to do it with NAT specifically, then do the following:

nat (outside) 1 20.0.0.2 255.255.255.255 outside

global (inside) 1 10.0.0.3

Note the use of the "outside" keyword on the NAT statement. You need that, even though you've already told it you're NAT'ing on the outside interface. See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/mr.htm#xtocid6 for more details.

New Member

Re: Bi-directional NAT

I read the documentation and in fact I need the 'outside' keyword ... but in spite of the fact that I changed the configuration, the nat doesn't run.

I can note that I have no entry if I show the xlate, do you have any idea?!

LAN inside 10.0.0.0/16

LAN outside 20.0.0.0/16

inside outside

| PC | -----------------| PIX | -----------------| PC |

10.0.0.2 10.0.0.1 20.0.0.1 20.0.0.2

nat (outside) 1 20.0.0.2 255.255.255.255 outside 0 0

global (inside) 1 10.0.0.3

access-list acl_in permit ip any any

access-list acl_in permit icmp any any

access-group acl_in in interface inside

access-list acl_out permit icmp any any

access-list acl_out permit ip any any

access-group acl_out in interface outside

MARCO

104
Views
5
Helpful
4
Replies
CreatePlease login to create content