Configure pat for my internal network and also configure pat for connections originating for the outside to the inside.
So I want to hide outgoing connection behind an IP address in the range of the outside interface of the PIX (eg 10.1.1.2). I also want to hide incoming connection(initiated from the outside) behind an IP address in the range of the inside interface of the pix (eg 192.168.1.2).
The inside network is 192.168.1.0/24
The outside network is 10.1.1.0/24
For the pat from the inside to the outside I use these commands: (works fine)
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 10.1.1.2 netmask 255.255.255.255
Which commands do I have to use for the pat from the outside to the inside, assuming I want to use 192.168.1.2 as the hiding address.
Is it something like this?: (I tried this but it's not working)
nat (outside) 2 0.0.0.0 0.0.0.0 outside
global (inside) 2 192.168.1.2 netmask 255.255.255.255
What you want is enable users to initiate sessions from outside to inside using a hiding addres? Ok, it's possible, and in fact very simple to configure.
You should remember that there's a difference in initiating from inside to outside compared to outside to inside.
If initiating from higher level security to lower level security you have to use appropiate nat and global statements (this is what you knew, as you have this working *grin*).
On the other end, if initiating from lower level security to higher level security you have to use appropiate static commands and appropiate access-list.
(guess you didn't know that yet)
You did not provide the internal adresses from the servers you want to be reachable from the outside via PAT, nor the protocols that you want to be PAT'ed, so I'm taking the following as example for the config:
Server1 on the inside with ip address 10.1.1.100 runs webserver and have to be reached via HTTP, Server2 with IP address 10.1.1.200 runs mailservices and has to be reach via SMTP from the outside.
This said, this is an example of how your needed config could look like:
But as I read this document on CCO this is stil not wat you're looking for. You have to have PAT on both packets travelling from inside to outside as well as packets travelling from outside to inside.
I don't know if it is possible, but I don't think so
Problem is off course that if a packet arrives, from inside to outside, a new entry is created in the xlate table, and this one will be looked up and probably used if the packet returns. The statements you use for the bi-directional NAT are correct, but I think the normal PAT statements are conflicting.
Only solution IMHO is to use a second PIX and seperate the two processes.
This should work, I'll guess
What I am wondering on this one is in what order things are handled in the PIX, cause that might give a direction for a solution. So, maybe one of the Cisco guys can be of any help here (anybody?). I can not find any about the order of operation on the PIX, beside the provided URL, which briefly says some things.
I'm curious too about this one, so, I'll be checking this topic on a regulary base
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...