topic Re: Reverse NAT on PIX in Network Security

Reverse NAT on PIX

aruzsinszky — Mon, 11 Mar 2019 11:50:40 GMT

Hi,

My outside network is: 10.x.y.0/24

My inside network is: 192.168.a.0/24.

The packet comes from: 172.30.b.192/29

I need port forwarding or redirecting to my inside ssh machine and I don't like seeing host route to 172.30.b.ccc over inside if. of PIX.

I tried one-to-one NAT from outside to inside but my ssh machine doesn't know anything about the MAC of NATed interface of PIX (arp who <192.168.a.d> tell ...)

What is the solution? PIX hate "static (outside,inside) <internal_IP> <my_subnet> netmask 255.255.255.240" command which is acceptable. It isn't a one-to-one relation, of course.

So what is the solution?

TIA,

Ruzsi

Re: Reverse NAT on PIX

cisco24x7 — Sun, 20 Jan 2008 03:22:58 GMT

solution is policy nat

CCIE Security

Re: Reverse NAT on PIX

aruzsinszky — Tue, 22 Jan 2008 18:23:03 GMT

Can you give me a little bit more information.

I checked policy NAT example on Cisco webpage but I don't see how will it solve my problem. 😞

TIA.

Ruzsi

Re: Reverse NAT on PIX

alanajjar — Wed, 23 Jan 2008 14:19:35 GMT

Hi,

To permit access to internal server on the inside network from outside machines, you need to define :

1- access list

2- static nat

for the access list, permit trafic from the externel host to the outside interface, and speify the port number, for this case ssh port =22

for the static nat, permit traffic from outside interface to the inside server, on the specified port number.

for your case, the access list will be

access-list out_in permit tcp 172.30.b.192 255.255.255.248 interface outside eq 22

and the static nat will be

static(inside,outside) tcp interface 22 192.168.1.1 22

where 192.168.1.1 is the inside ssh server.

regards

Re: Reverse NAT on PIX

aruzsinszky — Wed, 23 Jan 2008 16:35:42 GMT

Hi,

I solved my problem (it seems good with one IP translate now and I'll extend for the whole IP subnet what we use):

access-list acl_out remark Default rule - From Internet to Linux_ssh_server SSH port

access-list acl_out permit tcp OUTSIDE_VPN_Inet 255.255.255.240 interface outside eq ssh log

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface ssh ssh netmask 255.255.255.255 0 0

static (outside,inside) netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

and proxyarp is switched on!

What's your opinion?

TIA,

Ruzsi