problem with dynamic outside nat on pix

sebastan_bach · ‎02-26-2006

i have a pix connected with two interface .on the inside interface i have a host 1.1.1.2 and on the outside i have a host 2.1.1.2. i have configured outside dynamic nat which deosn't work here's my config

nat (outside) 1 2.1.1.2 255.255.255.255 outside

global (inside) 1 interface

pix inside interface 1.1.1.1

pix outside interfaec 2.1.1.1

access-list 101 permit ip any any

access-group 101 in interface outside

pls help what is the problem out here

sebastan

fzamora · ‎02-26-2006

You are missing the rule that will allow the outside user to access the host located on the trusted network.

static (inside,outside) 1.1.1.2 1.1.1.2 netmask 255.255.255.255

The I stronly recommend to use outside NAT with a static translation as well

static (outside,inside) X 2.1.1.2 netmask 255.255.255.255 outside

If you still want to use nat/global you will need to specify the traffic that is going to be translated from outside to inside (use ACLs) and the traffic that is not going to be translated as well; otherwise, translations from traffic going inside -->>outside are gonna be broken

Franco Zamora

sebastan_bach · ‎02-26-2006

hi frnaco thanks for ur detailed explanation.as perur explanation it means that when i want to implement a dynamic outside nat there has to be a static (inside,outside) am i right. i think cause when the packet from the outside host reaches on the outside interface for a destination the pix requires a translation table for the destination which is not present because of which packets are getting dropped.so it possibel that i want to configure a entire subnet with dynamic outside nat is it possible. say in this same scenario i change the nat statement from a single host to a subnet

nat (outside) 1 2.1.1.0 255.255.255.0 outside

is it possible pls help me on this franco. see ya

thanks once again

sebastan