Network Address Translation

Discussion in 'Cisco' started by Fabio Maia, Oct 16, 2003.

  1. Fabio Maia

    Fabio Maia Guest

    Hi,

    I would apreciate if someone could help me with this (ridiculous?)
    question:

    In order for a packet to make use of a destination address translation
    is it necessary to reach the pix through the interface where the
    virtual address is defined?

    Thank you very much,

    Fabio Maia.
    Fabio Maia, Oct 16, 2003
    #1
    1. Advertising

  2. In article <>,
    Fabio Maia <> wrote:
    :I would apreciate if someone could help me with this (ridiculous?)
    :question:

    :In order for a packet to make use of a destination address translation
    :is it necessary to reach the pix through the interface where the
    :virtual address is defined?

    Almost, but...

    Modern address translation on the PIX can be specified via the 'static' command
    or via the 'nat' command (I'm leaving out conduit/outbound and kin.)

    The 'static' command is interface specific: the command itself names
    the interfaces it applies between.

    The traditional 'nat' command only applied when connections were formed
    from the inside to the outside, and did not allow new connections to be
    formed from the outside to the inside.

    In PIX 6.0, Cisco added a new form of 'nat', 'nat (inside) 0 access-list XXX'.
    Traffic matched by the access-list could be said to have NAT "turned off"
    [no matter which interface the traffic was to!], or it could be said
    that NAT was still active but that the identity address translation is
    being done. Incoming traffic that matches the nat 0 access-list IS
    allowed to form connections from the outside to the inside. Thus, one can
    "make use of" the 'null' destination address translation even though
    the translation has been defined without explicit reference to the
    outside interface.

    Fun with semantics...
    --
    Everyone has a "Good Cause" for which they are prepared to Spam.
    -- Roberson's Law of the Internet
    Walter Roberson, Oct 16, 2003
    #2
    1. Advertising

  3. Fabio Maia

    Fabio Maia Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<bmn4ft$aef$>...
    > In article <>,
    > Fabio Maia <> wrote:
    > :I would apreciate if someone could help me with this (ridiculous?)
    > :question:
    >
    > :In order for a packet to make use of a destination address translation
    > :is it necessary to reach the pix through the interface where the
    > :virtual address is defined?
    >
    > Almost, but...
    >
    > Modern address translation on the PIX can be specified via the 'static' command
    > or via the 'nat' command (I'm leaving out conduit/outbound and kin.)
    >
    > The 'static' command is interface specific: the command itself names
    > the interfaces it applies between.
    >
    > The traditional 'nat' command only applied when connections were formed
    > from the inside to the outside, and did not allow new connections to be
    > formed from the outside to the inside.
    >
    > In PIX 6.0, Cisco added a new form of 'nat', 'nat (inside) 0 access-list XXX'.
    > Traffic matched by the access-list could be said to have NAT "turned off"
    > [no matter which interface the traffic was to!], or it could be said
    > that NAT was still active but that the identity address translation is
    > being done. Incoming traffic that matches the nat 0 access-list IS
    > allowed to form connections from the outside to the inside. Thus, one can
    > "make use of" the 'null' destination address translation even though
    > the translation has been defined without explicit reference to the
    > outside interface.
    >
    > Fun with semantics...


    Ok, Walter. So to perform a real destination address replacement (no
    identity) the packet MUST get into the pix through the external
    interface specified in the static command.

    Thank you very much for your time.
    Fabio Maia, Oct 17, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    5
    Views:
    2,887
    Anthrax
    Aug 23, 2005
  2. Millimeter
    Replies:
    0
    Views:
    371
    Millimeter
    Apr 2, 2004
  3. Millimeter
    Replies:
    0
    Views:
    425
    Millimeter
    Apr 2, 2004
  4. maciek
    Replies:
    4
    Views:
    358
    maciek
    Dec 30, 2006
  5. venunair
    Replies:
    1
    Views:
    273
    Brat's Ex BF
    Jan 23, 2004
Loading...

Share This Page