PAT on the Outside of a PIX

Discussion in 'Cisco' started by jseemann@gmail.com, Jul 24, 2007.

  1. Guest

    We have a customer coming in through our firewall whose source IP
    addresses we want to change. We have a number of NATs in place
    changing our internal addresses as they go outbound, but this will be
    the first inbound change we do.

    The customer will hit our outside interface with a source IP address
    in the range of 172.18.31.0. We want them to show up on our network
    as 10.1.1.1 (so we want to do PAT, really).

    Below is the configuration I was considering:


    nat (outside) 2 172.18.31.0 255.255.255.0 0 0
    global (inside) 2 10.1.1.1 netmask 255.255.255.255

    route outside 172.18.31.0 255.255.255.0 1.2.3.4 1

    1.2.3.4 is the customer router abutting our outside interface of
    1.2.3.1


    I think this should work as detailed above, but my only concern is
    that if I turn on an outside -> inside NAT, does that break the normal
    Identity NAT process that normally would occur coming outside in? Or
    is there anything else conceivable that could get broken by this
    translation?


    Thanks,
    Jason
     
    , Jul 24, 2007
    #1
    1. Advertising

  2. CK Guest

    Hi I have done thsi in Netscrren and not sure about PIX ...
    will tryin my lab and let you know ASAP.

    But it should work

    On Jul 24, 11:54 pm, "" <> wrote:
    > We have a customer coming in through our firewall whose source IP
    > addresses we want to change. We have a number of NATs in place
    > changing our internal addresses as they go outbound, but this will be
    > the first inbound change we do.
    >
    > The customer will hit our outside interface with a source IP address
    > in the range of 172.18.31.0. We want them to show up on our network
    > as 10.1.1.1 (so we want to do PAT, really).
    >
    > Below is the configuration I was considering:
    >
    > nat (outside) 2 172.18.31.0 255.255.255.0 0 0
    > global (inside) 2 10.1.1.1 netmask 255.255.255.255
    >
    > route outside 172.18.31.0 255.255.255.0 1.2.3.4 1
    >
    > 1.2.3.4 is the customer router abutting our outside interface of
    > 1.2.3.1
    >
    > I think this should work as detailed above, but my only concern is
    > that if I turn on an outside -> inside NAT, does that break the normal
    > Identity NAT process that normally would occur coming outside in? Or
    > is there anything else conceivable that could get broken by this
    > translation?
    >
    > Thanks,
    > Jason
     
    CK, Jul 25, 2007
    #2
    1. Advertising

  3. mcaissie Guest

    <> wrote in message
    news:...
    > We have a customer coming in through our firewall whose source IP
    > addresses we want to change. We have a number of NATs in place
    > changing our internal addresses as they go outbound, but this will be
    > the first inbound change we do.
    >
    > The customer will hit our outside interface with a source IP address
    > in the range of 172.18.31.0. We want them to show up on our network
    > as 10.1.1.1 (so we want to do PAT, really).
    >
    > Below is the configuration I was considering:
    >
    >
    > nat (outside) 2 172.18.31.0 255.255.255.0 0 0
    > global (inside) 2 10.1.1.1 netmask 255.255.255.255



    It should work but the good syntax would be

    nat (outside) 2 172.18.31.0 255.255.255.0 outside 0 0
    global (inside) 2 10.1.1.1 netmask 255.255.255.255


    ref: Cisco
    If this interface is on a lower security level than the interface you
    identify by the matching global statement,

    then you must enter outside. This feature is called outside NAT or
    bidirectional NAT.

    nat outside (Outside NAT)
    The nat outside option lets you enable or disable outside NAT, which
    translates the source address of a connection coming from a lower security
    interface to higher interface. This feature is also called bidirectional
    NAT.

    If you enable outside dynamic NAT on an interface, then you must configure
    explicit NAT policy for all hosts on the interface that need to initiate
    connections to inside networks. If you want to translate some hosts, but not
    others, then use identity NAT or NAT exemption (nat 0 or nat 0 access-list)
    to disable address translation for these additional hosts.

    The norandomseq and emb_limit options are not supported with outside NAT.


    >
    > route outside 172.18.31.0 255.255.255.0 1.2.3.4 1
    >
    > 1.2.3.4 is the customer router abutting our outside interface of
    > 1.2.3.1
    >
    >
    > I think this should work as detailed above, but my only concern is
    > that if I turn on an outside -> inside NAT, does that break the normal
    > Identity NAT process that normally would occur coming outside in? Or
    > is there anything else conceivable that could get broken by this
    > translation?
    >
    >
    > Thanks,
    > Jason
    >
     
    mcaissie, Jul 25, 2007
    #3
  4. Guest

    On Jul 25, 4:20 pm, "mcaissie" <> wrote:
    > <> wrote in message
    >
    > news:...
    >
    > > We have a customer coming in through our firewall whose source IP
    > > addresses we want to change. We have a number of NATs in place
    > > changing our internal addresses as they go outbound, but this will be
    > > the first inbound change we do.

    >
    > > The customer will hit our outside interface with a source IP address
    > > in the range of 172.18.31.0. We want them to show up on our network
    > > as 10.1.1.1 (so we want to do PAT, really).

    >
    > > Below is the configuration I was considering:

    >
    > > nat (outside) 2 172.18.31.0 255.255.255.0 0 0
    > > global (inside) 2 10.1.1.1 netmask 255.255.255.255

    >
    > It should work but the good syntax would be
    >
    > nat (outside) 2 172.18.31.0 255.255.255.0 outside 0 0
    > global (inside) 2 10.1.1.1 netmask 255.255.255.255
    >
    > ref: Cisco
    > If this interface is on a lower security level than the interface you
    > identify by the matching global statement,
    >
    > then you must enter outside. This feature is called outside NAT or
    > bidirectional NAT.
    >
    > nat outside (Outside NAT)
    > The nat outside option lets you enable or disable outside NAT, which
    > translates the source address of a connection coming from a lower security
    > interface to higher interface. This feature is also called bidirectional
    > NAT.
    >
    > If you enable outside dynamic NAT on an interface, then you must configure
    > explicit NAT policy for all hosts on the interface that need to initiate
    > connections to inside networks. If you want to translate some hosts, but not
    > others, then use identity NAT or NAT exemption (nat 0 or nat 0 access-list)
    > to disable address translation for these additional hosts.
    >
    > The norandomseq and emb_limit options are not supported with outside NAT.
    >
    >
    >
    > > route outside 172.18.31.0 255.255.255.0 1.2.3.4 1

    >
    > > 1.2.3.4 is the customer router abutting our outside interface of
    > > 1.2.3.1

    >
    > > I think this should work as detailed above, but my only concern is
    > > that if I turn on an outside -> inside NAT, does that break the normal
    > > Identity NAT process that normally would occur coming outside in? Or
    > > is there anything else conceivable that could get broken by this
    > > translation?

    >
    > > Thanks,
    > > Jason


    Thanks for the in depth reply. I'll have to make sure to identity NAT
    all other addresses so as not to break that connectivity.

    Jason
     
    , Jul 26, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    4
    Views:
    6,788
    mostro
    Oct 29, 2005
  2. BinSur
    Replies:
    4
    Views:
    5,843
    BinSur
    Jan 13, 2006
  3. Ender
    Replies:
    4
    Views:
    523
  4. Jack
    Replies:
    0
    Views:
    705
  5. kyoo
    Replies:
    22
    Views:
    2,095
    Aceman
    Apr 12, 2008
Loading...

Share This Page