Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
689
Views
0
Helpful
2
Replies

Traverse from inside to outside public IP

blamerson
Level 1
Level 1

‎05-19-2011 11:11 AM - edited ‎03-11-2019 01:35 PM

I'm trying to traverse from my inside private IP address (10.x.x.x) to my public IP address translation (172.16.x.x) in order to take advantage of the ACLs that are already applied on my outside interface.  For example:

Host 10.0.0.1, translated to PAT pool

Server 10.0.0.5, translated to 172.16.0.1

Inside-out access-list permits ip any any

Outside-in access-list permits tcp any 172.16.0.1/32 eq 80

From my inside host, I can get go 10.0.0.5:80.  I can get out to the internet.  External hosts can successfully get to 172.16.0.1:80 (address scheme is theoretical).  I can do everything except for connect to 172.16.0.1:80 (the translated public IP address) from my inside host address.  I did not setup this firewall originally, but I can't see a blatant command that makes this not work.  I don't see an ACL rule matched, so I'm assuming this is an issue with NAT or some sort of security policy, but can someone point me in the right direction?  I'm running a Pix 535 /w 8.0.4.  The response I got from Cisco was "create static (inside,inside) translations for every host", but that's over 300 hosts.  I have a friend running the same software set and his works as expected without these static (inside, inside) NATs.  Thanks for any help!

Brian

Labels:
0 Helpful
2 Replies 2

varrao
Level 10
Level 10

‎05-19-2011 11:20 AM

Hi Buddy,

Please try the below configuration:

static (inside,inside) 172.16.0.1 10.0.0.5 norandseq nailed

sysopt noproxyarp inside

same-security-traffic permit intra-interface

nat (inside) 10 0 0

global (inside) 10 interface

Apply these commands and it should work after that.


Do let me know.

Thnaks,

Varun

Thanks,
Varun Rao
0 Helpful

blamerson
Level 1
Level 1
In response to varrao

‎05-19-2011 12:19 PM

Hi Varun.  This command will work on a one-to-one server basis, but my issue is that I have about 300 servers that I need static translations for, and while I can create these translations, it's a bit more administrative overhead than I wanted, especially going forward with adds/moves/changes.  Additionally, these servers are in about 40 different subnets and have no logical order. 

I know that it's possible to traverse the firewall as expected without a "static (inside,inside)" command, I just don't know how to accomplish it.  I have a friend who states that he can accomplish this with his firewall in a similar configuration with 8.0.4, but he's less than willing to provide a full copy of his firewall rules.  I've had him review my configuration for a glaring issue/difference, but nothing has been noted.  Thanks for the help though!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card