07-01-2003 02:29 AM - edited 03-09-2019 03:52 AM
Hi,
I want to do the following:
Configure pat for my internal network and also configure pat for connections originating for the outside to the inside.
So I want to hide outgoing connection behind an IP address in the range of the outside interface of the PIX (eg 10.1.1.2). I also want to hide incoming connection(initiated from the outside) behind an IP address in the range of the inside interface of the pix (eg 192.168.1.2).
The inside network is 192.168.1.0/24
The outside network is 10.1.1.0/24
For the pat from the inside to the outside I use these commands: (works fine)
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 10.1.1.2 netmask 255.255.255.255
Which commands do I have to use for the pat from the outside to the inside, assuming I want to use 192.168.1.2 as the hiding address.
Is it something like this?: (I tried this but it's not working)
nat (outside) 2 0.0.0.0 0.0.0.0 outside
global (inside) 2 192.168.1.2 netmask 255.255.255.255
Kind Regards,
Tom
07-01-2003 03:12 AM
What you want is enable users to initiate sessions from outside to inside using a hiding addres? Ok, it's possible, and in fact very simple to configure.
You should remember that there's a difference in initiating from inside to outside compared to outside to inside.
If initiating from higher level security to lower level security you have to use appropiate nat and global statements (this is what you knew, as you have this working *grin*).
On the other end, if initiating from lower level security to higher level security you have to use appropiate static commands and appropiate access-list.
(guess you didn't know that yet)
You did not provide the internal adresses from the servers you want to be reachable from the outside via PAT, nor the protocols that you want to be PAT'ed, so I'm taking the following as example for the config:
Server1 on the inside with ip address 10.1.1.100 runs webserver and have to be reached via HTTP, Server2 with IP address 10.1.1.200 runs mailservices and has to be reach via SMTP from the outside.
This said, this is an example of how your needed config could look like:
static (inside, outside) tcp 192.168.1.2 80 10.1.1.100 80 netmask
255.255.255.255
static (inside, outside) tcp 192.168.1.2 25 10.1.1.200 25 netmask
255.255.255.255
Is this what you where looking for?
Regards,
Leo
07-01-2003 03:47 AM
Hi Leo,
thanks for the quick reply.
Sorry but this is not what I'am really looking for.
All the static command were already in place, that's not problem.
I want to change the source address of the incomming IP packets that connect to my internal servers (mail server, webserver).
I know it an usual setup, but that 's what the customers wants.
Kind Regards,
Tom
07-01-2003 06:09 AM
Hi Tom,
(I allready could not imaging you asking such a simple thing, as one of the pro's in here *big grin*)
I've read some stuff a while ago that it should be possible, and even a Cisco engineer told me it was possible (forgot his name *sigh*), but I can find it also. If I find something I'll let you know.
Kind Regards,
Leo
07-01-2003 06:14 AM
Hi Leo,
the outbound pat workt perfectly. But once I add the inbound pat, only the inbound pat works ok and the outbound pat stop working.
Thanks anyway for your time!!
Regards,
Tom
07-01-2003 06:40 AM
Hi Tom,
Just looked in my old bookmarks and found the document on CCO about the bi-directional NAT, it's located at:
But as I read this document on CCO this is stil not wat you're looking for. You have to have PAT on both packets travelling from inside to outside as well as packets travelling from outside to inside.
I don't know if it is possible, but I don't think so
Problem is off course that if a packet arrives, from inside to outside, a new entry is created in the xlate table, and this one will be looked up and probably used if the packet returns. The statements you use for the bi-directional NAT are correct, but I think the normal PAT statements are conflicting.
Only solution IMHO is to use a second PIX and seperate the two processes.
This should work, I'll guess
What I am wondering on this one is in what order things are handled in the PIX, cause that might give a direction for a solution. So, maybe one of the Cisco guys can be of any help here (anybody?). I can not find any about the order of operation on the PIX, beside the provided URL, which briefly says some things.
I'm curious too about this one, so, I'll be checking this topic on a regulary base
:-)))
Leo
07-01-2003 07:25 AM
Hi,
does anyone else out there knows if bidirectional PAT wil work?
I want to hide outgoing connections (initiated from the inside) to hide behind an outside IP address and I want to hide incomming connections (initiated at the outside) behind an inside IP address.
Kind Regards,
Tom
07-01-2003 08:03 AM
Hi Tom -
Just a thought as I've just read your posts, have you read the following document :
> http://www.cisco.com/warp/public/707/28.html
Hope this helps,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: