Solved: Problems creating a NAT form an outside to an inside network on the PIX

orangel · ‎05-23-2003

I need to create a NAT for an outside address to the inside I am not able to create the static for it.

I have an external host with a 10.x.x.x address that want to translate on the inside to 172.x.x.x adress, using the PIX with the static command It does not allow it.

The syntax I am trying to use is:

Static (outside,inside) 172.1.1.9 10.1.1.10 netmask 255.255.255.255

but the pix sends the next error:

outside 0 has a lower security value than inside 100

I do not have another device between the host and the PIX and so I am limited to use the PIX for this purpose.

What else can I do?

mhoda · ‎05-23-2003

Hi,

This feature is called bi-directional NAT. This was first introduced into 6.2 code. The earlier code doesn't have this feature, Sorry ! So, if this needs to be done on the PIX, then you need to have version 6.2 code. What you are trying is right, but its your code that is not allowing you to do that.

Here is the link that talks about when this feature was introduced.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/relnotes/pixrn621.htm#1249308

I hope this helps ! Thanks,

Mynul

View solution in original post

jmia · ‎05-23-2003

Hi Oliver -

Try this,

> static (inside,outside) netmask 255.255.255.255

Also, have a read of the following document for reference:

http://www.cisco.com/warp/public/707/28.html

Hope this helps --

orangel · ‎05-23-2003

Hi.

The PIX have a previus version to 6.2, the version for the pix is 5.1(4)

is it possible to configure the outside nat to inside or is there a similar bi-directional nat, on a version previous to 6.2?

tanks

jmia · ‎05-23-2003

Hello Oliver -

Okay, I didn't know that you had version 5.1(4), and ofcourse I gave you a 6.2 version example. Well in your case with v5.1 you'll need to use static with conduit to achive your goal.

On a side note - If you want to read up on pix etc, I'd recommend a very good book by David W. Chapman Jr. and Andy Fox - Cisco Secure Pix Firewalls from cisco press, www.ciscopress.com, ISBN - 1-58705-035-8,

Also, here is a world renowned expert ( and I used his papers on verious problems ) for expert advice from Dr Peter J. Welcher :

http://www.netcraftsmen.net/welcher/papers/pix01.html

Hope this helps and let me know how you get on --

orangel · ‎05-23-2003

I need to translate one IP address from the outside network into an inside network address, but I don't understand how could it work with a static and a conduit.

Please tell me how is this possible or if you have another alternate solution with version 5.1

Thanks.

mhoda · ‎05-23-2003

Hi,

This feature is called bi-directional NAT. This was first introduced into 6.2 code. The earlier code doesn't have this feature, Sorry ! So, if this needs to be done on the PIX, then you need to have version 6.2 code. What you are trying is right, but its your code that is not allowing you to do that.

Here is the link that talks about when this feature was introduced.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/relnotes/pixrn621.htm#1249308

I hope this helps ! Thanks,

Mynul

orangel · ‎05-26-2003

Hi. Mynul

Tanks for your help.