From: Dong Lin (dlin22@comcast.net)
Date: Sun Jun 01 2003 - 12:14:30 GMT-3
You are right. This is a new feature in 6.2 for dynamic outside NAT. For
static outside NAT, you still use static command.
According to RN and config guide, it should add "outside" keyword at the end
of nat command like:
nat (outside) 1 0.0.0.0 0.0.0.0 outside
global (inside) 1 interface
Could this be the problem ?
----- Original Message -----
From: "Scott Morris" <swm@emanon.com>
To: "'Dong Lin'" <dlin22@comcast.net>; <ccielab@groupstudy.com>
Sent: Saturday, May 31, 2003 9:55 PM
Subject: RE: PIX NAT??
> Incorrect. You can translate outside source addresses as well. In 6.2
> and later, there is an 'outside' parameter that is added to the NAT line
> (or static line) in order for you to "tell" the NAT code that you want
> to translate outside (aka foreign) source address to something as an
> inside local. (Previous to 6.2, use the 'alias' command)
>
> Now, the concept you have below really isn't feasible, but I'm not
> entirely sure that it isn't possible! The difficulty with doing it, is
> that by translating the outside world's addresses to the PIX interface
> address, you are going to DEFINITELY cut off any conversations starting
> from your inside network going to the outside world, since there would
> be no xlate or state.
>
> So, I guess what I'm trying to say is that even if logically it would
> work, that's a really ugly method of restricting things. Just use an
> ACL on your inside interface to limit outbound stuff!
>
> However, NORMAL NAT logic is exactly as Dong Lin described, which is
> translating the inside source address from a higher to lower interface,
> and the reason that most say to use static and acl/conduit has to do
> with the order of things. A connection is not possible at all if a
> translation doesn't already exist. STATIC commands will pre-populate
> the xlate table. NAT commands don't work until traffic initiates it
> (meaning outbound traffic from the inside interface). So therefore any
> traffic from the Internet (outside intf) coming in would work with NAT
> only after some traffic created the translation to begin with.
>
> Also with NAT, you don't have a forced 1:1 relationship from local and
> global addresses, so it's difficult to determine what machine on the
> inside get assigned which IP on the outside, hence making ACL creation
> almost impossible. Statics make life much easier.
>
> Hope that helps!
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Dong Lin
> Sent: Saturday, May 31, 2003 8:10 PM
> To: ccielab@groupstudy.com
> Subject: Re: PIX NAT??
>
>
> The answer to your question is no.
>
> nat and global is used to let traffic from high security interface to
> low security interface.
>
> You need to use static and acl to let traffic from the outside interface
> to the inside interface (nat is performed by static command)
>
>
> ----- Original Message -----
> From: "Michael Popovich" <michael625@cox.net>
> To: <ccielab@groupstudy.com>
> Sent: Saturday, May 31, 2003 4:19 AM
> Subject: PIX NAT??
>
>
> > Can you NAT from the Outside interface to the Inside interface?
> >
> > I have:
> >
> > nat (outside) 1 0.0.0.0 0.0.0.0
> > global (inside) 1 interface
> >
> > This doesn't seem to work for me, now I am wondering if it is
> > possible.
> >
> > MP
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:51 GMT-3