https://community.cisco.com/t5/network-security/policy-nat/m-p/1119186#M895474 <P>Hi,</P><P></P><P>I have pix firewall with 7.x version. I have advertised my web/mail servers. </P><P>I am doing source base nat, I am translating all Internet traffic that is accessing the web/email server into one source</P><P>172.28.29.1.</P><P></P><P>But i am having problem. IF i do the source nat servers are not able to access Internet, though they are able to access over</P><P>the Internet. If I remove the Source NAT, they are able to published as well as can browse the Internet. I dont wana allow</P><P>any Internet source to access my server. I want to have only translated source to enter my internal network.</P><P></P><P>Below is the configuration:</P><P></P><P></P><P>access-list reverse_nat extended permit ip any host x.x.x.x</P><P>nat (outside) 5 access-list reverse_nat outside</P><P>global (inside) 5 172.28.29.1 netmask 255.255.255.255</P><P>static (inside,outside) x.x.x.x 172.1.2.3 netmask 255.255.255.255</P><P>access-list outside_acl extended permit tcp any host x.x.x.x eq www</P><P>access-list outside_acl extended permit tcp any host x.x.x.x eq http</P><P></P><P>Please help me out how to achieve this and what i m missing.</P> Mon, 11 Mar 2019 13:53:20 GMT wasiimcisco 2019-03-11T13:53:20Z https://community.cisco.com/t5/network-security/policy-nat/m-p/1119186#M895474 <P>Hi,</P><P></P><P>I have pix firewall with 7.x version. I have advertised my web/mail servers. </P><P>I am doing source base nat, I am translating all Internet traffic that is accessing the web/email server into one source</P><P>172.28.29.1.</P><P></P><P>But i am having problem. IF i do the source nat servers are not able to access Internet, though they are able to access over</P><P>the Internet. If I remove the Source NAT, they are able to published as well as can browse the Internet. I dont wana allow</P><P>any Internet source to access my server. I want to have only translated source to enter my internal network.</P><P></P><P>Below is the configuration:</P><P></P><P></P><P>access-list reverse_nat extended permit ip any host x.x.x.x</P><P>nat (outside) 5 access-list reverse_nat outside</P><P>global (inside) 5 172.28.29.1 netmask 255.255.255.255</P><P>static (inside,outside) x.x.x.x 172.1.2.3 netmask 255.255.255.255</P><P>access-list outside_acl extended permit tcp any host x.x.x.x eq www</P><P>access-list outside_acl extended permit tcp any host x.x.x.x eq http</P><P></P><P>Please help me out how to achieve this and what i m missing.</P> Mon, 11 Mar 2019 13:53:20 GMT https://community.cisco.com/t5/network-security/policy-nat/m-p/1119186#M895474 wasiimcisco 2019-03-11T13:53:20Z https://community.cisco.com/t5/network-security/policy-nat/m-p/1119187#M895475 <HTML><HEAD></HEAD><BODY><P></P><P>Let`s say server 172.1.2.3 wants to access the internet, packet goes out and hit the static translation. IP source is now x.x.x.x and destination is unchanged y.y.y.y . When responce gets back, source is y.y.y.y and destination is x.x.x.x. It hit your policy nat and your static nat. Source is now 178.28.29.1 and destination is x.x.x.x. Wont work that way...</P><P></P><P> </P></BODY></HTML> Mon, 06 Oct 2008 18:34:51 GMT https://community.cisco.com/t5/network-security/policy-nat/m-p/1119187#M895475 dominic.caron 2008-10-06T18:34:51Z https://community.cisco.com/t5/network-security/policy-nat/m-p/1119188#M895476 <HTML><HEAD></HEAD><BODY><P>Thanks for the excellent explaination. </P><P></P><P>Is there any solution or way out to achieve my goal. Both Server publishing with source nat and Internet Browsing.</P></BODY></HTML> Wed, 08 Oct 2008 11:03:26 GMT https://community.cisco.com/t5/network-security/policy-nat/m-p/1119188#M895476 wasiimcisco 2008-10-08T11:03:26Z https://community.cisco.com/t5/network-security/policy-nat/m-p/1119189#M895477 <HTML><HEAD></HEAD><BODY><P>At first glance,you could do your reverse nat with a static statement specific to the tcp port 80 and 25. This is now your everyday config and you might have some problem. </P><P></P><P>Why are you trying to reverse nat incomming connection. What kind of attack are you trying to mitigate.</P></BODY></HTML> Wed, 08 Oct 2008 11:50:02 GMT https://community.cisco.com/t5/network-security/policy-nat/m-p/1119189#M895477 dominic.caron 2008-10-08T11:50:02Z