Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2022
Views
45
Helpful
20
Replies

Port Redirection (Forwading) from Inside to Outside

Go to solution
packet_loss
Level 1
Level 1

‎09-17-2007 04:42 AM - edited ‎03-11-2019 04:12 AM

Dear All,

I have a requirement to configure a PIX.

It is a 515E with 6.3(5) software loaded.

We are connecting to a 3rd party via the Firewall.

It has 1 inside and 1 outside interface configured.

The requirement is that our internal hosts connect to a IP/Port combination on a Inside routable address and the PIX re-forwards the traffic to the outside host.

All documentation mentions configuring Outside (Internet) hosts so they can connect to a Outside IP/Port combination but not the reverse.

Why am I doing this?

Because the external 3rd party have a IP address range which were are not allowed to route internally.

Is this possible?

Any comments gratefully received!!

Labels:
0 Helpful
20 Replies 20

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to sundar.palaniappan

‎09-18-2007 01:11 PM

Hi Sundar

Didn't have access to a firewall to test so wasn't sure why it was not working for Craig.

Can you confirm that the inside IP address of the pix is in the 192.168.5.x range ? If so then it looks like it should work after all. As i say i have always used a separate subnet for this sort of thing from inside to outside.

Thanks for testing this out Sundar.

Jon

Go to solution
sundar.palaniappan
Level 10
Level 10
In response to Jon Marshall

‎09-18-2007 02:29 PM

Not a problem Jon.

The inside host address is 192.168.5.10 and that's the same subnet as inside interface of the PIX itself. Actually, I configured two routers to be inside/outside host and enabled ICMP debugs on the outside router to make sure it wasn't the PIX that was sending proxy ARP replies to the inside host.

I am starting to wonder whether Craig may have to enable proxy ARP on the inside interface for this to work. I guess it wouldn't be a bad idea to try configuring 'no sysopt noproxyarp inside' and test.

HTH

Sundar

Go to solution
packet_loss
Level 1
Level 1
In response to sundar.palaniappan

‎09-19-2007 03:35 AM

Sundar / Jon,

Once again, a big thank-you for your continued support - it is most appreciated.

I am running a 515e but with 6.3(5) software - so your lab is not using the same code.

Could there be a difference in NAT Order of Operation between 6.x and 7.x?

As this is in a remote site (in Africa) sadly there is no Infrastructure to create another VLAN & IP address range.

Is there a way to disable IP routing?

If the packets are arriving at the PIX and displayed by debug packet then I assume Proxy ARP is working correctly.?

0 Helpful

Go to solution
packet_loss
Level 1
Level 1
In response to packet_loss

‎09-19-2007 09:19 AM

Fixed!!

The following lines were required;

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to packet_loss

‎09-19-2007 09:29 AM

Oh for crying out loud :-)

Well done Craig, we were all so busy worrying about how to NAT a destination address that we completely overlooked the NAT on the source IP addresses !!

I should have spotted that and altho i don't want to speak for Sundar i think he will feel the same :)

Thanks for letting us know Craig

Jon

0 Helpful

Go to solution
networking11
Level 1
Level 1

‎09-27-2007 10:47 PM

hai, your issue is of great useful to my project consideration

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card