I have a customer that has a peculiar situation that requires a static NAT to a host on a subnet remote to the inside of the PIX. This remote host has a static route back to the PIX but it uses a DIFFERENT default route. This creates the problem: the original public IP address remains as the source address in the IP header through the translation on the PIX. The remote host, when replying to the request, always attempts to respond back out through its default route, not back throught the WAN because the source address in the IP header is the public address of the original sender, not the private address of the PIX. Is there any way I can replace the original public source address with the inside interface of the PIX or some other inside address?
Have you considered configuring bi-directional NAT in this case? This was a new feature added in 6.2 (I think) that allows you to NAT the source address of packets going from a less secure interface to a more secure interface (opposite of what you would normally think of). You would then need to create a static route on the host pointing back to the PIX for the address that you NAT the external packet to. Check the command ref in 6.3 for the syntax and post back your questions if you have any.
Not a bad suggestion but it looks like all of the documentation points to mapping an explicit public address to an explicit private one. This would replace the original source address but the source could be any address on the Internet so that wouldn't work for me. I'm still going to play with the settings and see if I can't get something of a PAT process going in reverse. I'm also going to try port-redirection to see if that modifies the original source address. Any further suggestions or ideas are still most welcome!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...