I have a customer that has a peculiar situation that requires a static NAT to a host on a subnet remote to the inside of the PIX. This remote host has a static route back to the PIX but it uses a DIFFERENT default route. This creates the problem: the original public IP address remains as the source address in the IP header through the translation on the PIX. The remote host, when replying to the request, always attempts to respond back out through its default route, not back throught the WAN because the source address in the IP header is the public address of the original sender, not the private address of the PIX. Is there any way I can replace the original public source address with the inside interface of the PIX or some other inside address?
Have you considered configuring bi-directional NAT in this case? This was a new feature added in 6.2 (I think) that allows you to NAT the source address of packets going from a less secure interface to a more secure interface (opposite of what you would normally think of). You would then need to create a static route on the host pointing back to the PIX for the address that you NAT the external packet to. Check the command ref in 6.3 for the syntax and post back your questions if you have any.
Not a bad suggestion but it looks like all of the documentation points to mapping an explicit public address to an explicit private one. This would replace the original source address but the source could be any address on the Internet so that wouldn't work for me. I'm still going to play with the settings and see if I can't get something of a PAT process going in reverse. I'm also going to try port-redirection to see if that modifies the original source address. Any further suggestions or ideas are still most welcome!
If WSA stopped responding to Web requests and a reboot fixed it ... may be also if Cisco TAC confirmed you are hit with the Bug CSCve59632
Cisco Bug CSCve59632 affects WSA, As when Certain number o...
This document describes how to configure a site-to-site (LAN-to-LAN) IPSec IKE Version 1 (IKEv1) tunnels using Virtual Tunnel Interface (VTI) between two Cisco ASA. ASA VPN module was enhanced with this logical interface in version 9.7(1) and...
Helps meet PCI compliance.
Threat protection built into ISR and ISRv branch routers and CSR
Complements ISR Integrated Security
Lightweight IPS solution with low TCO (Total Cost of Ownership) and automated s...