Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Silver

Outside NAT

Hi,

We have a Cisco PIX 525 running 6.3(3)

I am trying to NAT the source address of a server on a DMZ only when the server needs to talk to a specific server on the inside interface.

All other traffic from the dmz to any interface should not be NATed.

i.e. when server 10.0.0.1 (dmz) talks to server 13.0.0.1 (inside) its source address is NATed to 13.0.0.2

and when server 10.0.0.1 (dmz) talks to any other networks on the inside, no NAT takes place (nat 0)

Could you tell me if this is possible please?

I have played around with the following:

# static (dmz, inside) 13.0.0.2 access-list NAT-dmz

# access-list NAT-dmz permit ip host 10.0.0.1 host 13.0.0.1

# nat (dmz) 0 access-list NoNAT-dmz

# access-list NoNAT-dmz permit ip host 10.0.0.1 11.0.0.0 255.0.0.0

# access-list NoNAT-dmz permit ip host 10.0.0.1 12.0.0.0 255.0.0.0

I could ping the NAT address 13.0.0.2 from the LAN, however i couldn't ping the server address 13.0.0.1 (inside) from server 10.0.0.1 (dmz) which made me think that the NAT is not bi-directional?

This is a problem as the NAT needs to happen when the server on the DMZ (10.0.0.1) establishes a connection to the server on the inside (13.0.0.1)

Please note that access-lists have been applied to the inside and dmz interfaces permitting traffic to flow between the two interfaces.

Thanks, Paddy

2 REPLIES
New Member

Re: Outside NAT

Unfortunately, i don't have enough time to explain the solution in details but you can achieve what you want. One way of doing this is:

- Configure a Global statement to inside interface with IP address of 13.0.0.2

- Configure NAT+Access List on the DMZ interface related with the global statement and where the ACL is triggered only by 10.0.0.1

Don't forget to configure ACL+ACG on the DMZ interface since it's a lower security interface who wish to communicate with a higher security interface.

Regards

Ben

New Member

Re: Outside NAT

Paddy

You can try this (you can do it both with ACLs -policy NAT- or the 'old' fashion, just regular NAT):

static (dmz,inside) 13.0.0.2 10.0.0.1

!-- Outside static NAT

!-- or,

static (dmz,inside) 13.0.0.2 access-list NAT-dmz

access-list NAT-dmz permit ip host 10.0.0.1 host 13.0.0.1

!-- Just the way that you have it.

!-- This is what you are missing perhaps:

static (inside,dmz) 13.0.0.1 13.0.0.1

Now, if you have something like this on the inside:

nat (inside) 0 0.0.0.0 0.0.0.0

This NAT 0 is not bi-directional.

If you have something like:

nat (inside) 0 access-list nonat-inside

access-list nonat-inside permit ip any 10.0.0.0 255.0.0.0

This NAT 0 is bidirectional, and you should be able to ping the server on the inside from the dmz, and the server on the dmz should be translated to 13.0.0.2

Anyway, you can do a 'show xlate debug' to see the translations created and check that both are made. The NAT0+ACL does not create an xlate.

The outside NAT is NOT BI-DIRECTIONAL so this is why you would need a translation rule between the inside and the dmz (second static).

Hope it helps,

federico.

101
Views
0
Helpful
2
Replies
CreatePlease login to create content