Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Identity NAT - Lower to Higher

Having searched through the forums it appears that Identity NAT is what I'm looking for, but could anyone confirm?

I have a server accessible via a wan connection on a dmz. I want the internal users to access that server via an INTERNAL lan address.

e.g. static (dmz,inside) 10.1.1.100 200.1.1.100 netmask 255.255.255.255 0 0 - (assuming 10.1.1.0 is lan and 200.1.1.0 is network via the wan)

Will this work, and is there any conditions nat/nonat etc?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Identity NAT - Lower to Higher

Hi,

Your initial post was on the right track. What you need to configure is the d-nat on the inside interface so that it translate destination address from the higher to lower security interface. if your server ip address is 20.1.1.1 and you want to reach to the server using 10.1.1.100 which is your internal ip address, then your static should look like this -

static (dmz,inside) 10.1.1.100 20.1.1.1 netmask 255.255.255.255

Thanks,

Mynul

13 REPLIES
New Member

Re: Identity NAT - Lower to Higher

New Member

Re: Identity NAT - Lower to Higher

Hello Michael

Thanks for the reply. Unfortunately the customer insists that the internal addresses are hidden from the dmz (as the server is a 3rd party financial feed).

New Member

Re: Identity NAT - Lower to Higher

your static looks good. This will work.

New Member

Re: Identity NAT - Lower to Higher

I believe that would be

Sorry, misread this before my last response.

With static, the PIX will proxy arp on the "global" interface. In the beginning :) , it (static) only had (inside,outside)

static(inside,dmz)200.1.1.100 10.10.10.10 netmask 255.255.255.255

The innermost interface is listed first. The outermost address is listed first.

From the Commands Ref:

static [(local_ifc,global_ifc)] {global_ip | interface} {local_ip [netmask mask] |

New Member

Re: Identity NAT - Lower to Higher

Ignore part my posting. However, I was under the impression that there was no (dmz,inside) option and it could only be as (inside,dmz), and you could use the alias command to hit an outside address with a request to an inside address.

I will have to see if I can get to a lab pix and test.

Silver

Re: Identity NAT - Lower to Higher

Hi,

Your initial post was on the right track. What you need to configure is the d-nat on the inside interface so that it translate destination address from the higher to lower security interface. if your server ip address is 20.1.1.1 and you want to reach to the server using 10.1.1.100 which is your internal ip address, then your static should look like this -

static (dmz,inside) 10.1.1.100 20.1.1.1 netmask 255.255.255.255

Thanks,

Mynul

New Member

Re: Identity NAT - Lower to Higher

Myrul,

Are you saying that you can now have static(dmz, inside)? I only had a 5.2 box to test it on yesterday and got an error indicating you couldn't have (dmz, inside). My understanding has alwasy been that the innermost interface must be listed first, since static is used to make the innermost hosts visible to the outer network.

Additionally, the alias command will permit the user to hit an inside address to connect to an outside one.

From the 6.2 Commands ref for "alias" under usage guidelines

The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 209.165.201.1, you can use the alias command to redirect traffic to another address, such as, 209.165.201.30.

New Member

Re: Identity NAT - Lower to Higher

Michael

You're correct in in saying the alias cmd will do the job. However, although I couldn't find any documented examples, Myrul's guidance is also correct, i.e. higher/lower natting.

Many thanks

Nigel

New Member

Re: Identity NAT - Lower to Higher

Nigel,

Can you confirm that you were able to configure it to say "static(dmz,inside)"? When I tried this I got an error message.

Thanks,

Michael

New Member

Re: Identity NAT - Lower to Higher

Michael

Yes, that's correct - but I needed to upgrade to 6.3 (I think 6.2 supports it though)

static (fwdmz,inside) 10.100.1.25 172.31.250.2 netmask 255.255.255.255 0 0

Where the 10.x.x.x is the internal LAN.

Regards

Nigel

New Member

Re: Identity NAT - Lower to Higher

The 6.2 Static Command is documented as

static(internal-interface-name, external-interface-name), so this doesn't look correct, since the internal interface would be listed first. Of course, if you list it first, the proxy arp is done on the DMZ, and you are trying to get the pix to reply to arps on the inside for the inside address.

Again, I think you need "alias" for this.

alias (inside) 10.1.1.100 200.1.1.1 255.255.255.255

Any request someone on the inside makes for 10.1.1.100, PIX will proxy arp and forward to 200.1.1.1 255.255.255.255

New Member

Re: Identity NAT - Lower to Higher

Thanks Mynul

I've tried this and it works OK!

Nigel

Silver

Re: Identity NAT - Lower to Higher

Nigel et al,

Thanks for the update. I am glad that its working for you. This feature has been introduced in 6.2 code and can be configured as replacement of alias command.

Thanks,

Mynul

280
Views
0
Helpful
13
Replies
CreatePlease to create content