Destination NAT on inside interface of Pix to DMZ host.
I wonder if there is a solution to this problem. I have a single host in a dmz 192.168.9.6/29 with a 515 pix at 192.168.9.1/29, and 172.30.7.250/24 on internal interface. There is also an external I/F but it is irrelevant to the problem.
I want all users on my internal network to see this host at 172.30.7.249. I want the Pix to Proxy arp for this address and NAT the destination to 192.168.9.6. The Pix then delivers the traffic to the DMZ host. The host responds, and again the PIX NATs the response packet putting 172.30.7.249 as the source ip of the response. I tried doing this with Static (dmz,inside) 172.30.7.249 192.168.9.6 netmask 255.255.255.255 0 0
but it doesn't work because the PIX didn't appear to even proxy arp for the internal address. Nothing appears in log. So I added an ALIAS (inside) 192.168.9.6 172.30.7.249 255.255.255.255
Now it still doesn't work, but I get log entries when I try to ping the DMZ server from an Inside switch...
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...