NAT through PIX

koksm · ‎07-24-2006

Probebly been asked before, but...

I have a 515 with 6.3 software. Three interfaces. I need to allow traffic from the DMZ to a single host on the internal network. Destination address should not be NATted, source network should (source traffic comes in via ISDN and is a non routed subnet).

Is this possible at all? I've tried playing around with a static;

static (inside,dmz) <inside address> <inside address/mask>

This should not hide the inside address, but does not fix my source NAT problem. Nat and Global does not work because i have to go from lower to higher security level.

I can't figger this out...

mgaysek · ‎07-25-2006

The static you have will work for your destination. Are you trying to NAT the host on the DMZ when it goes to the inside?

Here is the excerpt from the command reference.

nat outside (Outside NAT)

The nat outside option lets you enable or disable outside NAT, which translates the source address of a connection coming from a lower security interface to higher interface. This feature is also called bidirectional NAT.

If you enable outside dynamic NAT on an interface, then you must configure explicit NAT policy for all hosts on the interface that need to initiate connections to inside networks. If you want to translate some hosts, but not others, then use identity NAT or NAT exemption (nat 0 or nat 0 access-list) to disable address translation for these additional hosts.

HTH

koksm · ‎07-25-2006

Thanks, 10 minutes ago i found the same thing on CCO, outside NAT. Gonna try!