Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1199
Views
0
Helpful
1
Replies

New PIX nat outside keyword in V 6.2

sandow
Level 1
Level 1

‎06-06-2002 10:50 AM - edited ‎02-20-2020 10:05 PM

Has anyone successfully used this? I had an idea to use it, in combination with global (inside) interface and a static statement to allow a router outside a firewall to pass RIPv2 md5 updates using neighbor statements to routers on the inside of the firewall. Essentially the neighbor becomes the outside address defined in the static statement, and the inside address in the static statement is the address of the inside router interface. That takes care of the destination address of the unicast RIP packet. However, the inside router ignores it because the source address is still the real outside router address (not ont he same subnet).

So I installed

nat (outside) 2 <outside router address and mask> outside

global (inside) 2 interface

This worked exactly as I had hoped, and translated the source address of the outside router's RIP updates to the inside interface of the PIX. The inside router then installs the routes in its table using the inside address of the PIX as the nexthop. Debugs and packet traces confirm behavior. So far so good.

However, in doing the above, nat (inside) appears to break. I have a generic nat (inside) config, like:

nat (inside) 1 0 0

global (outside) 1 interface

Without the nat (outside) command, I can ping and make normal connections outbound. When the nat (outside) command is installed, pings and connection attempts don't make it outbound through the firewall anymore. Debug packet inside on the firewall confirms the packets are arriving at the inbound interface, but debug ip packet on the outside router confirms the packets are not making it through the PIX.

Does anyone have a working configuration for this, where nat works in both directions? Thanks.

0 Helpful
1 Reply 1

j-barrett
Level 1
Level 1

‎06-07-2002 01:13 AM

I believe the alias command will solve this. Because as well as changing the destination address when going from inside to outside it also changes the source address for packets coming from outside to inside. So use "alias (inside) 192.168.1.1 193.1.1.1" where 192.168.1.1 is your outside router interface alias address and 193.1.1.1 is your outside router interface real address.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card