RE: PIX NAT??

From: Scott Morris (swm@emanon.com)
Date: Sat May 31 2003 - 23:56:18 GMT-3

• Next message: Mike Williams: "Anyone studying in St. Louis?"
• Previous message: Volkov, Dmitry (IDS Canada): "RE: PIX NAT??"
• Maybe in reply to: Scott Morris: "RE: PIX NAT??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Order of NAT... Traffic must come in prior to NAT xlate existing. A
static command will pre-populate. Try static on your inside guys and
then the outside should work. At that point, your local host would
think it were being ping'ed by the PIX.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Volkov, Dmitry (IDS Canada)
Sent: Saturday, May 31, 2003 10:15 PM
To: 'Dong Lin'
Cc: ccielab@groupstudy.com; 'michael625@cox.net';
'security@groupstudy.com'
Subject: RE: PIX NAT??

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/co
nfig
/bafwcfg.htm#1063701
Starting with PIX Firewall version 6.2, NAT and PAT can be applied to
traffic from an outside or less secure interface to an inside (more
secure) interface. This functionality is called Outside NAT
However I just tried it with 6.21 - no luck :(

ip address outside 172.16.10.10 255.255.255.0
ip address inside 172.16.50.1 255.255.255.0
global (inside) 1 interface
nat (outside) 1 172.16.10.64 255.255.255.192 outside 0 0 conduit permit
ip any any No translation group found for icmp src outside:172.16.10.100
dst inside:172.16.50.5 (type 8, code 0)

> -----Original Message-----
> From: Dong Lin [mailto:dlin22@comcast.net
> Sent: Saturday, May 31, 2003 8:10 PM
> To: ccielab@groupstudy.com
> Subject: Re: PIX NAT??
>
>
> The answer to your question is no.
>
> nat and global is used to let traffic from high security
> interface to low
> security interface.
>
> You need to use static and acl to let traffic from the
> outside interface to
> the inside interface (nat is performed by static command)
>
>
> ----- Original Message -----
> From: "Michael Popovich" <michael625@cox.net>
> To: <ccielab@groupstudy.com>
> Sent: Saturday, May 31, 2003 4:19 AM
> Subject: PIX NAT??
>
>
> > Can you NAT from the Outside interface to the Inside interface?
> >
> > I have:
> >
> > nat (outside) 1 0.0.0.0 0.0.0.0
> > global (inside) 1 interface
> >
> > This doesn't seem to work for me, now I am wondering if it
> is possible.
> >
> > MP

• Next message: Mike Williams: "Anyone studying in St. Louis?"
• Previous message: Volkov, Dmitry (IDS Canada): "RE: PIX NAT??"
• Maybe in reply to: Scott Morris: "RE: PIX NAT??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:50 GMT-3