I have a PIX firewall with a dmz interface that VPN users come into. I would like to be able to define that a range of 4 source ip addresses coming into the dmz interface be able to go anywhere on the inside interface. I know I need an acl permitting the ip range through, but I need to set the translations so that they can go to any destination on the inside via its true inside address. I can't create a blanket config like "static (dmz,inside) 10.0.0.0 10.0.0.0, because that will conflict with other statics between those interfaces and I don't want any ip coming into the VPN dmz to be able to go to these inside addresses. How do I set it up so that only the 4 static ip addresses can go to any destination inside address without the normal need for creating a static statement for each destination they need to go, at the same time without this config interfering with anything else?
I'm a little confused. Doesn't doing the nat(outside) translate the source ip addresses to whatever is defined with the matching global statement? If I'm going from a dmz interface to a inside interface, I need a translation on the destination, not the source. Correct?
My internal network on the inside of the PIX is a 10.0.0.0/8, I want these 4 vpn users to be able to access any destination 10.0.0.0 address without having to translate each destination host individually. If I wasn't worried about it conflicting with other config, I'd just do a "static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0". However, that would be a blanket translation for anyone going to the inside network, I only want it to affect the 4 vpn users. right now, for example, if I want a specific vpn user to access the 10.1.1.1 server, I have to do a "static (inside,dmz) 10.1.1.1 10.1.1.1 netmask 255.255.255.255". As there are countless inside hosts that these 4 vpn users could be accessing, I don't want to have to do an individual translation for each possible destination address.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...