Has anyone successfully used this? I had an idea to use it, in combination with global (inside) interface and a static statement to allow a router outside a firewall to pass RIPv2 md5 updates using neighbor statements to routers on the inside of the firewall. Essentially the neighbor becomes the outside address defined in the static statement, and the inside address in the static statement is the address of the inside router interface. That takes care of the destination address of the unicast RIP packet. However, the inside router ignores it because the source address is still the real outside router address (not ont he same subnet).
So I installed
nat (outside) 2 <outside router address and mask> outside
global (inside) 2 interface
This worked exactly as I had hoped, and translated the source address of the outside router's RIP updates to the inside interface of the PIX. The inside router then installs the routes in its table using the inside address of the PIX as the nexthop. Debugs and packet traces confirm behavior. So far so good.
However, in doing the above, nat (inside) appears to break. I have a generic nat (inside) config, like:
nat (inside) 1 0 0
global (outside) 1 interface
Without the nat (outside) command, I can ping and make normal connections outbound. When the nat (outside) command is installed, pings and connection attempts don't make it outbound through the firewall anymore. Debug packet inside on the firewall confirms the packets are arriving at the inbound interface, but debug ip packet on the outside router confirms the packets are not making it through the PIX.
Does anyone have a working configuration for this, where nat works in both directions? Thanks.
I believe the alias command will solve this. Because as well as changing the destination address when going from inside to outside it also changes the source address for packets coming from outside to inside. So use "alias (inside) 192.168.1.1 220.127.116.11" where 192.168.1.1 is your outside router interface alias address and 18.104.22.168 is your outside router interface real address.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...