Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
0
Helpful
3
Replies

PIX Bi-Directional NAT

mcaissie
Level 1
Level 1

‎02-26-2003 10:08 AM - edited ‎02-20-2020 10:35 PM

Hi

using PIX 6.2(2)

I am able to translate from the outside to the inside using

static (outside,inside)

but should i be able to NAT using

global (inside) 1 192.168.0.129-192.168.0.253

global (inside) 1 192.168.0.254

nat (outside) 1 0.0.0.0 0.0.0.0 0 0

i get the following errors

305005: No translation group found for icmp src outside:10.12.0.33 dst inside:172.25.16.1 (type 8, code 0)

thanks

0 Helpful
3 Replies 3

rj.remien
Level 1
Level 1

‎02-26-2003 11:02 PM

The commands used for translation in the PIX are determined by comparison of security levels:

1. If traffic travels from a low to a high security level, use static and access-list commands.

2. If traffic travels from a high to a low security level, use nat and global commands.

In your case, you need to match the correct interface with the correct command.

You need - nat (inside) 1 0 0

and - global (outside) 1 (Internet IP address or range assigned to you)

Here is a link for further info

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml.

RJ

0 Helpful

mcaissie
Level 1
Level 1
In response to rj.remien

‎02-27-2003 06:47 AM

RJ, according to the link it says;

"Outside NAT

Starting with PIX 6.2, NAT and PAT can be applied to traffic from an outside, or less secure, interface to an inside (more secure) interface. This is sometimes referred to as "bi-directional NAT." "

And also

"Outside NAT/PAT is similar to inside NAT/PAT, but the address translation is applied to addresses of hosts residing on the outer (less secure) interfaces of the PIX. To configure dynamic outside NAT, specify the addresses to be translated on the less secure interface and specify the global address or addresses on the inside (more secure) interface. To configure static outside NAT, use the static command to specify the one-to-one mapping."

I am able to make the static outside nat working as shown in the example

but not the dynamic outside nat . And my question is how to make that works.

The commands you mention refers to inside nat not outside nat.

-Michel

0 Helpful

mostiguy
Level 6
Level 6
In response to mcaissie

‎02-28-2003 06:42 AM

You are still backwards though. Regular NAT, where you have legitimate IPs on the outside, and RFC 1918 IPs on the inside, requires global commands on the outside int, and nat on the inside int.

Outside nat is used far less frequently, often for poorly designed networks, or to deal with poorly written applications. That said, outside nat requires the *same* rules for global and nat commands - global on outside int, nat on inside int. Outside nat, as seen in the doc, is achieved through the addition of more static commands.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card