Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Help with NAT

I do not have external IP to advertise, would like to use outside int IP as an advertized IP towards the Internet. Is following sufficient for that?

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

5 REPLIES
Community Member

Re: Help with NAT

No, you will also need a

"global (outside) 1 interface" command.

Hares

Community Member

Re: Help with NAT

OK I have this basic config. When I ping from internal LAN PC yahoo.com IP, I see request and response on PIX debug but pings are not getting back to PC. Also from outside can't access my web server. However from inside I can get all web sites.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Re: Help with NAT

Traffic from lower security (outside) interface to higher security (inside) interface has to be explicitly allowed using an ACL. To be able to ping hosts on the Internet from the inside network you need to permit icmp echo-replies on the ACL applied on the outside interface. If there's no ACL applied on the outside int then you need to create an ACL and allow icmp echo-replies to come in. Moreover, configure the outside ACL needs to permit http traffic to your web server.

To access you web server from the outside you need a static NAT as well - to map global to local IP of the server.

The link below has a configuration example that you may find helpful.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094ea2.shtml#configs

HTH

Sundar

Community Member

Re: Help with NAT

Hi Sunder,

What I need to do is verify IP connectivity tro' PIX. So I want to pass thro' all the traffic IN and OUT of PIX. I believe following should take care of it, please confirm.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list from_inside permit any any

access-list from_outside permit any any

I am using external INT IP for PATTING towards the Internet. I am not sure why do I need static map for the web server.

Re: Help with NAT

Yes, it should work but you need to add a couple of things. I am sure you know the access-list needs to be applied to the respective interfaces using the access-group command. For the web server on the inside, you would need to configure a static statement.

HTH

Sundar

123
Views
5
Helpful
5
Replies
CreatePlease to create content