Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
261
Views
0
Helpful
2
Replies

NAT IP source address

rguyler
Level 1
Level 1

‎01-28-2004 05:22 AM - edited ‎03-09-2019 06:15 AM

I have a customer that has a peculiar situation that requires a static NAT to a host on a subnet remote to the inside of the PIX. This remote host has a static route back to the PIX but it uses a DIFFERENT default route. This creates the problem: the original public IP address remains as the source address in the IP header through the translation on the PIX. The remote host, when replying to the request, always attempts to respond back out through its default route, not back throught the WAN because the source address in the IP header is the public address of the original sender, not the private address of the PIX. Is there any way I can replace the original public source address with the inside interface of the PIX or some other inside address?

Labels:
0 Helpful
2 Replies 2

scoclayton
Level 7
Level 7

‎01-28-2004 08:12 AM

Hi,

Have you considered configuring bi-directional NAT in this case? This was a new feature added in 6.2 (I think) that allows you to NAT the source address of packets going from a less secure interface to a more secure interface (opposite of what you would normally think of). You would then need to create a static route on the host pointing back to the PIX for the address that you NAT the external packet to. Check the command ref in 6.3 for the syntax and post back your questions if you have any.

Scott

0 Helpful

rguyler
Level 1
Level 1
In response to scoclayton

‎01-28-2004 11:14 AM

Not a bad suggestion but it looks like all of the documentation points to mapping an explicit public address to an explicit private one. This would replace the original source address but the source could be any address on the Internet so that wouldn't work for me. I'm still going to play with the settings and see if I can't get something of a PAT process going in reverse. I'm also going to try port-redirection to see if that modifies the original source address. Any further suggestions or ideas are still most welcome!

Rik

0 Helpful
Customers Also Viewed These Support Documents