Re: Static NAT

admin_2 · ‎06-25-2002

I have a Vendor router connnected on DMZ of my Firewall who lets only one ip address of my server 172.16.1.15 to connect to his network. I have a NAT on my Firewall to my inside address as follows;

global(dmz1) 172.16.1.254

nat (dmz1) 0 0.0.0.0 0.0.0.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,DMZ1) 172.16.1.15 10.0.2.15

conduit permit tcp 172.16.1.15 any

route dmz1 192.168.1.0 255.255.255.0 172.16.1.1

where 192.168.1.0 is vendor network address and 172.16.1.1 is the gateway address of the vendor router.

The problem am facing is

1. I am not able to ping to the gateway 172.16.1.1 and am not able to see any traffic on DMZ from internal address(10.0.2.15) nor 172.16.1.15 on sniffer.

although the vendor router is able to ping my firewall DMZ interface.

when I initiate the connection from inside to DMZ1(higher to lower) i believe my internal ip address(10.0.2.15) will be PAT to global address of 172.16.1.254 . How do i force the firewall to nat the address to 172.16.1.15 so that i access vendor network.

Do i need to add any command on firewall ?

Report Inappropriate Content · ‎06-25-2002

First:

Since ICMP echo reply packets are not part of an established TCP session, these have to be manually permitted. This can be done with:

conduit permit icmp any any

2nd:

Translation

I can't see for which nat-pool your global statement since you've left out the nat-pool pointer. It must be just a cut&paste goof since the PIX would require a pointer.

It should look like this if all addresses (except 10.0.2.15) from inside is to be PAT'ed to 172.16.1.254:

global(dmz1) 1 172.16.1.254

which is from nat pool 1

You have actually a legal config for inside 10.0.2.15 to become 172.16.1.15 on dmz1

This should work.

Verify with sh xlate.

Why are you not NAT-ing addresses going from DMZ1 to lower security?

(nat (dmz1) 0 0.0.0.0 0.0.0.0)

These are private addresses and should be NAT'ed.