topic PIX Bi-Directional NAT in Network Security

PIX Bi-Directional NAT

mcaissie — Fri, 21 Feb 2020 06:35:11 GMT

using PIX 6.2(2)

I am able to translate from the outside to the inside using

static (outside,inside)

but should i be able to NAT using

global (inside) 1 192.168.0.129-192.168.0.253

global (inside) 1 192.168.0.254

nat (outside) 1 0.0.0.0 0.0.0.0 0 0

i get the following errors

305005: No translation group found for icmp src outside:10.12.0.33 dst inside:172.25.16.1 (type 8, code 0)

thanks

Re: PIX Bi-Directional NAT

rj.remien — Thu, 27 Feb 2003 07:02:08 GMT

The commands used for translation in the PIX are determined by comparison of security levels:

1. If traffic travels from a low to a high security level, use static and access-list commands.

2. If traffic travels from a high to a low security level, use nat and global commands.

In your case, you need to match the correct interface with the correct command.

You need - nat (inside) 1 0 0

and - global (outside) 1 (Internet IP address or range assigned to you)

Here is a link for further info

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml.

Re: PIX Bi-Directional NAT

mcaissie — Thu, 27 Feb 2003 14:47:46 GMT

RJ, according to the link it says;

"Outside NAT

Starting with PIX 6.2, NAT and PAT can be applied to traffic from an outside, or less secure, interface to an inside (more secure) interface. This is sometimes referred to as "bi-directional NAT." "

And also

"Outside NAT/PAT is similar to inside NAT/PAT, but the address translation is applied to addresses of hosts residing on the outer (less secure) interfaces of the PIX. To configure dynamic outside NAT, specify the addresses to be translated on the less secure interface and specify the global address or addresses on the inside (more secure) interface. To configure static outside NAT, use the static command to specify the one-to-one mapping."

I am able to make the static outside nat working as shown in the example

but not the dynamic outside nat . And my question is how to make that works.

The commands you mention refers to inside nat not outside nat.

-Michel

Re: PIX Bi-Directional NAT

mostiguy — Fri, 28 Feb 2003 14:42:00 GMT

You are still backwards though. Regular NAT, where you have legitimate IPs on the outside, and RFC 1918 IPs on the inside, requires global commands on the outside int, and nat on the inside int.

Outside nat is used far less frequently, often for poorly designed networks, or to deal with poorly written applications. That said, outside nat requires the *same* rules for global and nat commands - global on outside int, nat on inside int. Outside nat, as seen in the doc, is achieved through the addition of more static commands.