NAT translation on a PIX to/from the same interface
I have an interesting problem. My ISP manager recently installed new DNS boxes inside our ISP DMZ. The boxes are redundant and do periodic checks on each other to verify everything is OK. Pretty straight forward.
Now the twist. The boxes must check on each other using the Public IP address assigned to each box via a static NAT. So the packet from one box would leave the DMZ (10.1.x.x) destined for the sister box but with a destination IP on the outside interface(216.x.x.x). Of course once it leaves the outside interface it will not come back in through the same interface so the destination address would not get translated to it's DMZ ip (10.1.x.x). Is this clear enough?
The vendor assures us that this done all the time, but I can't find a way to do this. Is there a way for the PIX to catch the packet from the DMZ, translate it over and send it back to the DMZ with the un-translated address?
Re: NAT translation on a PIX to/from the same interface
In short no.
The work around, use the "alias" command. What alias does is intercept DNS queries, and re-write the 'A' records.
For example, one DNS server would lookup the IP address of the other DNS by name. The PIX would intercept this DNS query, and re-write it the public IP returned with the correct private IP. Try something like:
alias (inside) 255.255.255.255
sysopt noproxyarp inside
Replace with the actual address of the DNS server, and with the address that the rest of the world knows the DNS server by.
Another option; create a HOSTS file on each DNS server, and statically enter the private IP address of each box.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :