05-30-2006 03:36 PM - edited 03-09-2019 03:04 PM
I need to telnet from the public Internet into a box that is sitting behind a PIX and is using a private IP address. I have already used NAT to translate an available public IP to the internal/private IP of this box. However, the problem is that this box does not have the routing setup to properly reply to clients connecting to it from a source IP from the public Internet. Is there a way that I can somehow make clients with public Internet address look like they are being sourced from a private address? In this way the box would be responding to a private IP instead of the true source which is not reachable.
Thanks,
Diego
05-30-2006 04:16 PM
A VPN would work as you describe.
A static NAT should also work.
Post your config, I bet someone here can debug it for ya.
Good Luck
Scott
05-30-2006 10:08 PM
Hi,
If you want the clients connecting with public internet address look as if being sourced from private address consider Reverse NATTING or Outside NAT.
The box will be able to reply as if the request is coming from private addresses.
check this out:
n c how outside nat works.
Hope this helps you out.
05-30-2006 10:41 PM
Hi .. in order to do that. Apart form your static instruction you need to add an Outside NAT instruction
nat (outside) 5 access-list TEST outside
global (inside) 5 interface
access-list TEST permit tcp any host x.x.x.x eq telnet
the above instructions will cause the external hosts to appear as if it sourced by the inside interface of the PIX when connecting to Public IP x.x.x.x
Ihope it helps .. please rate it if it does !!!
06-05-2006 06:38 PM
This certainly seems to be what I want to do and it jives with the documentation suggested in the previous post. However as soon as I apply the nat (outside) command it totally breaks all my outbound traffic that is being "natted inside". I thought that it might have to do with the ACL that I was using but even when I used a totally bogus ACL like:
access-list BOGUS permit tcp host 1.1.1.1 host 2.2.2.2 eq 999
it still broke my inside NAT. What's worse since I couldn't get outside anymore I couldn't even check if the outside NAT stuff was working. When I did a "show xlate" the xlate table looked OK but no traffic passed to inside hosts.
Any ideas?
Thanks,
Diego
08-16-2006 11:17 AM
I'm running into this same problem of 'Outside NAT' breaking the 'Inside NAT'.
305011: Built dynamic UDP translation from inside:192.168.1.2/3738 to outside:10.61.147.123/1084
305005: No translation group found for udp src inside:192.168.1.2/3738 dst outside:10.61.147.109/53
305011: Built dynamic UDP translation from inside:192.168.1.2/3739 to outside:10.61.147.123/1085
305005: No translation group found for udp src inside:192.168.1.2/3739 dst outside:10.61.147.108/53
305011: Built dynamic UDP translation from inside:192.168.1.2/3740 to outside:10.61.147.123/1086
305005: No translation group found for udp src inside:192.168.1.2/3740 dst outside:10.61.147.108/53
I tried adding explicit hosts to my inside NAT table, but it still didn't help. All outbound traffic was blocked out.
Anyone care to comment? The config I used is as follows:
static (inside,outside) tcp interface 2222 192.168.1.100 22
access-list nat5 permit tcp any interface outside eq 2222
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (outside) 5 access-list nat5 outside
global (inside) 5 interface
global (outside) 1 interface
-Joshua
05-31-2006 12:15 AM
Hello,
The first information I would try to get is:
which networks are routed towards the PIX from the "telnet box" perspective. I wonder what prevents the box from accessing the internet? Is there no default gateway?
If no networks are routed towards the PIX, the box is inaccessible from the internet through this PIX. End of story.
If only a private network - f.e. 10.1.1.0/24 - is routed towards the PIX, you have the option of setting up a VPN to the PIX and assign an IP out of 10.1.1.0/24 to your VPN client. Or you setup source NAT, i.e. your internet IP should be translated to an IP out of 10.1.1.0/24 and in addition destination NAT, which you have already established as far as I understand.
Hope this helps! Please rate all posts.
Regards, Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide