Have one pix 506e and i have to do the following, can anyone please help me out or little understanding on NAT / Translation would be great.
1. pix 506e is connected to outside int with 2600 router, this router is connected to a gateway in an telecom exchange (which is actually my destination to reach through this pix)
2. inside int of pix 506e is connected to internal lan.
3. the administrator of this router( with whom we will establish commnucation by reaching their gateway eventually) has given me 4 ips form his network side say IP_Z which i have to configure on my PIX so that when my servers will try to reach his gateway he will not see my internal LAN ips but will see the IP_Z which he had given me. according to him i am suppose to do a translation from intertal LAN ip to IP_Z.
now i have configured the pix so that when from the pix i ping to his router i get success, i can ping the gateway which is in exchange from my pix, for this i just created a route on pix
route outside 0.0.0.0 0.0.0.0 IP_Gateway.
coming back to the question, i created a static route on pix
but when i try to ping from my server to outside ip int of pix which has an IP Address from the same network subnet as his router intf has which is connect to pix outside intf (i hope it's clear), i get no response and the same results are when i try to ping the gateway from my server. do i need to applie an access-list allowing, i know for icmp i have to allow it since for lower security intface cannot access high security interface.
In short what i want is that on a PIX506E, what is the config to make the inside address/inside lan traffic say 10.10.1.1 leave the outside as 172.16.1.1 and I also need traffic coming into the outside interface destined for 172.16.1.1 to translate to 10.10.1.2
Ping is not a stateful protocol. To allow pings from the inside to the outside interface you need to create an access-list. If you want to ping the same interface that you are physicly connected you need to configure the "icmp" command.
thanks patrick but i believe i need little more assistance, because i dont get it. i am pinging from the machine inside the pix meaning 220.127.116.11(machine IP) to 10.10.1.1 (pix outside interface) but i can't, i have even applied the access-list as you told me to.
access-list 101 permit icmp any host 10.10.1.1 echo
access-list 101 permit icmp any host 10.10.1.1 echo-reply
access-list 101 permit icmp any host 10.10.1.1 source-quench
access-list 101 permit icmp any host 10.10.1.1 unreachable
access-list 101 permit icmp any host 10.10.1.1 time-exceeded
access-group 101 in interface outside
but everything has gone in vain.. but if i ping to inside interface of pix(172.16.1.1.2) from the same machine 172.16.1.4 i can do it without a problem and i am ping without any access-list at all. i also have NAT
hi patrick could u pls tell me that is it possible to have a dynamic outside nat without having a static inside,outside .is it possible. how to achieve bi-directional nat i mean dynamic inside nat and dynamic outside nat. is it possible. pls help .
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...