cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
495
Views
0
Helpful
7
Replies

bidirectional nat

tvanginneken
Level 4
Level 4

Hi,

I want to do the following:

Configure pat for my internal network and also configure pat for connections originating for the outside to the inside.

So I want to hide outgoing connection behind an IP address in the range of the outside interface of the PIX (eg 10.1.1.2). I also want to hide incoming connection(initiated from the outside) behind an IP address in the range of the inside interface of the pix (eg 192.168.1.2).

The inside network is 192.168.1.0/24

The outside network is 10.1.1.0/24

For the pat from the inside to the outside I use these commands: (works fine)

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 10.1.1.2 netmask 255.255.255.255

Which commands do I have to use for the pat from the outside to the inside, assuming I want to use 192.168.1.2 as the hiding address.

Is it something like this?: (I tried this but it's not working)

nat (outside) 2 0.0.0.0 0.0.0.0 outside

global (inside) 2 192.168.1.2 netmask 255.255.255.255

Kind Regards,

Tom

7 Replies 7

l.mourits
Level 5
Level 5

What you want is enable users to initiate sessions from outside to inside using a hiding addres? Ok, it's possible, and in fact very simple to configure.

You should remember that there's a difference in initiating from inside to outside compared to outside to inside.

If initiating from higher level security to lower level security you have to use appropiate nat and global statements (this is what you knew, as you have this working *grin*).

On the other end, if initiating from lower level security to higher level security you have to use appropiate static commands and appropiate access-list.

(guess you didn't know that yet)

You did not provide the internal adresses from the servers you want to be reachable from the outside via PAT, nor the protocols that you want to be PAT'ed, so I'm taking the following as example for the config:

Server1 on the inside with ip address 10.1.1.100 runs webserver and have to be reached via HTTP, Server2 with IP address 10.1.1.200 runs mailservices and has to be reach via SMTP from the outside.

This said, this is an example of how your needed config could look like:

static (inside, outside) tcp 192.168.1.2 80 10.1.1.100 80 netmask

255.255.255.255

static (inside, outside) tcp 192.168.1.2 25 10.1.1.200 25 netmask

255.255.255.255

Is this what you where looking for?

Regards,

Leo

Hi Leo,

thanks for the quick reply.

Sorry but this is not what I'am really looking for.

All the static command were already in place, that's not problem.

I want to change the source address of the incomming IP packets that connect to my internal servers (mail server, webserver).

I know it an usual setup, but that 's what the customers wants.

Kind Regards,

Tom

Hi Tom,

(I allready could not imaging you asking such a simple thing, as one of the pro's in here *big grin*)

I've read some stuff a while ago that it should be possible, and even a Cisco engineer told me it was possible (forgot his name *sigh*), but I can find it also. If I find something I'll let you know.

Kind Regards,

Leo

Hi Leo,

the outbound pat workt perfectly. But once I add the inbound pat, only the inbound pat works ok and the outbound pat stop working.

Thanks anyway for your time!!

Regards,

Tom

Hi Tom,

Just looked in my old bookmarks and found the document on CCO about the bi-directional NAT, it's located at:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic12

But as I read this document on CCO this is stil not wat you're looking for. You have to have PAT on both packets travelling from inside to outside as well as packets travelling from outside to inside.

I don't know if it is possible, but I don't think so

Problem is off course that if a packet arrives, from inside to outside, a new entry is created in the xlate table, and this one will be looked up and probably used if the packet returns. The statements you use for the bi-directional NAT are correct, but I think the normal PAT statements are conflicting.

Only solution IMHO is to use a second PIX and seperate the two processes.

This should work, I'll guess

What I am wondering on this one is in what order things are handled in the PIX, cause that might give a direction for a solution. So, maybe one of the Cisco guys can be of any help here (anybody?). I can not find any about the order of operation on the PIX, beside the provided URL, which briefly says some things.

I'm curious too about this one, so, I'll be checking this topic on a regulary base

:-)))

Leo

Hi,

does anyone else out there knows if bidirectional PAT wil work?

I want to hide outgoing connections (initiated from the inside) to hide behind an outside IP address and I want to hide incomming connections (initiated at the outside) behind an inside IP address.

Kind Regards,

Tom

Hi Tom -

Just a thought as I've just read your posts, have you read the following document :

> http://www.cisco.com/warp/public/707/28.html

Hope this helps,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: