Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX Bi-Directional NAT

Hi

using PIX 6.2(2)

I am able to translate from the outside to the inside using

static (outside,inside)

but should i be able to NAT using

global (inside) 1 192.168.0.129-192.168.0.253

global (inside) 1 192.168.0.254

nat (outside) 1 0.0.0.0 0.0.0.0 0 0

i get the following errors

305005: No translation group found for icmp src outside:10.12.0.33 dst inside:172.25.16.1 (type 8, code 0)

thanks

  • Other Security Subjects
3 REPLIES
New Member

Re: PIX Bi-Directional NAT

The commands used for translation in the PIX are determined by comparison of security levels:

1. If traffic travels from a low to a high security level, use static and access-list commands.

2. If traffic travels from a high to a low security level, use nat and global commands.

In your case, you need to match the correct interface with the correct command.

You need - nat (inside) 1 0 0

and - global (outside) 1 (Internet IP address or range assigned to you)

Here is a link for further info

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml.

RJ

New Member

Re: PIX Bi-Directional NAT

RJ, according to the link it says;

"Outside NAT

Starting with PIX 6.2, NAT and PAT can be applied to traffic from an outside, or less secure, interface to an inside (more secure) interface. This is sometimes referred to as "bi-directional NAT." "

And also

"Outside NAT/PAT is similar to inside NAT/PAT, but the address translation is applied to addresses of hosts residing on the outer (less secure) interfaces of the PIX. To configure dynamic outside NAT, specify the addresses to be translated on the less secure interface and specify the global address or addresses on the inside (more secure) interface. To configure static outside NAT, use the static command to specify the one-to-one mapping."

I am able to make the static outside nat working as shown in the example

but not the dynamic outside nat . And my question is how to make that works.

The commands you mention refers to inside nat not outside nat.

-Michel

Silver

Re: PIX Bi-Directional NAT

You are still backwards though. Regular NAT, where you have legitimate IPs on the outside, and RFC 1918 IPs on the inside, requires global commands on the outside int, and nat on the inside int.

Outside nat is used far less frequently, often for poorly designed networks, or to deal with poorly written applications. That said, outside nat requires the *same* rules for global and nat commands - global on outside int, nat on inside int. Outside nat, as seen in the doc, is achieved through the addition of more static commands.

112
Views
0
Helpful
3
Replies
This widget could not be displayed.