Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
5
Helpful
2
Replies

Binding inside nat statement to outermost interface ERROR

Go to solution
mactej6228
Level 1
Level 1

‎05-14-2013 04:12 AM

Hello Everyone,

I am having a problem w/ my PIX501 w/  "Cisco PIX Firewall Version 6.3(4)", upon issuing the command i get this WARNING, is this normal? because it works perfectly fine in version 7.2(2)..

THE ERROR:

PIX1(config)# nat (outside) 1 222.127.244.52 255.255.255.252

WARNING:  Binding inside nat statement to outermost interface.

WARNING:  Keyword "outside" is probably missing.

REFERRENCE:

PIX1# sh nameif

nameif ethernet0 outside security0

nameif ethernet1 inside security100

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-14-2013 04:26 AM

Also,

Here is information about the "outside" parameter from the PIX 6.3 command reference

outside

If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT.

Note Starting  with PIX Firewall 6.3.2, source translation is performed before  destination translation. For this reason, if the source NAT policy  allows the connection, the xlate will be created, even if the traffic is  denied by the destination policy.

Source:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129

Remember to mark the reply as the correct answer and/or rate helpfull answers

- Jouni

View solution in original post

2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-14-2013 04:16 AM

Hi,

What is this NAT setups purpose? Though we cant see the matching ID 1 "global" statements in this case.

I think the PIX is expecting the parameter "outside" (doesnt mean the "outside" intefaces name)

The command should therefore probably be

nat (outside) 1 222.127.244.52 255.255.255.252 outside

But I am not sure what you are configuring this NAT for.

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-14-2013 04:26 AM

Also,

Here is information about the "outside" parameter from the PIX 6.3 command reference

outside

If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT.

Note Starting  with PIX Firewall 6.3.2, source translation is performed before  destination translation. For this reason, if the source NAT policy  allows the connection, the xlate will be created, even if the traffic is  denied by the destination policy.

Source:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129

Remember to mark the reply as the correct answer and/or rate helpfull answers

- Jouni

Customers Also Viewed These Support Documents