Re: Reverse NAT

sgoethals1 · ‎05-10-2006

Hi,

I have a PIX 506E 6.3(4) setup to use Dynamic NAT for 15 addresses and the rest are setup to use STATIC NAT. At this time, I am using ALIAS statements to take care of outside requests that need access to inside machines.

Unfortunately, the PDM software won't allow us to manage the PIX if we use the ALIAS statments. I am told that I need to use Reverse NAT.

MY question is how to do this if I already have NAT setup dynamically for my 15 of my available addresses? What do I need to do to setup Reverse NAT for my static addresses?

My current config looks like this.

global (outside) 1 XX.XX.XX.110-XX.XX.XX.126 netmask 255.255.255.192

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Any help would be greatly appreciated.

Thanks

Scott

nefkensp · ‎05-10-2006

Hello Scot,

You can use the static command in combination with an access-list to setup access for inbound connections. For example, if you have a host 192.168.1.110 on your inside network, which is publicly available on 10.10.10.110, and a webserver is running on it, you can use the following commands:

static (inside,outside) 10.10.10.110 192.168.1.110 netmask 255.255.255.255

access-list acl_outside permit tcp any host 10.10.10.110 eq 80

access-group acl_outside in int outside

The static commands tells the pix that the outside address 10.10.10.110 belongs to the inside address 192.168.1.110. Optionally you can specify the maximum number of connections allowed for that entry (see the manual for the static command).

The access-list entry tells the pix that anybody can connect to the ip-address 10.10.10.110 for port 80 (http)

The access-group command tells the pix to use access-list acl_outside on incoming traffic on the outside interface

Check out the example of a mailserver on the inside network at

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

Hope this helps,

Kind regards,

Pieter-Jan