Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

NAT from outside to inside

Hi all!

It is needed to place a NAT from outside to the inside on a PIX506E with OS 6.2(2). The traffic arrives to the outside interface via IPSec tunnel. After the decryption the source address of the packets is from the 192.168.201.0/24 subnet. A part of these packets are destined to a host with IP address 10.111.130.55 and port 6004 behind the inside interface. This host needs to see a source address 10.111.130.86, so the ip addresses of the incoming packets must be translated into 10.111.130.86. The other part of the incoming packets mustn't be translated. How can I manage to filter the NAT on the 506E?

Cheers,

Gabor

3 REPLIES
Silver

Re: NAT from outside to inside

http://www.cisco.com/warp/customer/707/28.html#topic12

You'll need 6.2, but I think this is exactly what you are trying to achieve.

Matt

New Member

Re: NAT from outside to inside

Hi Matt, I have met with this documentation and it is very usefull if you do not prform IPSec. With the IPSec it doesn't work. The procedure should be done on the PIX like the following:

1. IPSec arrives to the outside interface and the decryption takes place

2. The source address of a part of the decrypted packets must be translated (NAT) into a specific internal IP address, in case of the rest of the packets no translation is needed

3. All the packets leave the PIX through the inside interface

Anyway in the documentation how does the access-list 101 work? It works but I cannot understand which way? The source and the destionation network are the same:

access-list 101 permit ip 209.165.202.0 255.255.255.0 209.165.202.0 255.255.255.0

Silver

Re: NAT from outside to inside

That might be the case- after decrypting packets from the outside int., the pix might then directly place them on the inside int, and not give it a chance to nat

The access-list/conduit is to allow those hosts in - in the example 209.165.202.140 and .141 are globals assigned to the pix. To allow communication to them, ports must be opened as the pix is the device in the arp cache for them on that subnet - the other machines on that subnet talk to .140 and .141 as if they were on the same subnet, while they are really behind the pix.

106
Views
0
Helpful
3
Replies
CreatePlease to create content