Re: [fw-wiz] static nat for inside returning traffic
- From: Chris Myers <clmmacunix@xxxxxxxxxxx>
- Date: Tue, 20 Nov 2007 17:21:18 -0600
Either way NAPT or NAT you need a Static NAT from the a routable IP
address from your outside interface subnet to an internal IP address
if it is part of the RFC1918 for 1:1 NAT. You will need an ACL on the
outside pointed to the <external routable IP> from whatever. This is
only for hosts initiated to this host. The NAPT would add the port in
the static policy. The all 0's route (default route) will take care of
the outbound initiated access for your inside host. No need to put a
route in for any hosts on the Internet, and your global nat policy
will do the outbound NAT for your inside host going anywhere (many to
one NAT).
access-list foo permit tcp any host <external routable IP> eq
<whatever port> "the 'any' in this acl can be a host as well.
use: host <internet IP>
static (inside,outside) <external routable IP> <internal rfc 1918
addr> netmask 255.25.255.255
Just in case: if your inside host is a routable IP subnet (and paid
for) don't need NAT and you can put an outside ACL pointed directly to
the routable host on the inside. I am assuming you have a subnet on
the RFC1918.
Hope this clarifies it.
Thanks
Chris
On Nov 14, 2007, at 12:43 PM, Robert Fenech wrote:
Hi Sean,
I might be wrong but if you want to connect to an internal host from
an external source you have to configure your PIX with static NAT and
create appropriate access-rule entries. Hiding your internal host
behind the PIX's external interface IP or any another global IP (PAT)
to that
matter would not work.
However one thing you can do is port forwarding, whereby connections
originating from an external source destined to the PIX's external
interface IP (or any other global IP) on a specific port are forwarded
to a specific internal host.
On Nov 14, 2007 12:45 AM, Shahin Ansari <zohal52@xxxxxxxxx> wrote:
Greetings-_______________________________________________
I come across an issue which I can not explain and need your help
please.
I was trying to provide access to an inside host from outside. I
put in a
1:1 static nat for the outside host, made sure there is a route for
both
hosts, and updated the outside interface access-list. But there
was no
connection. I also did not see any message in the logs. Just fyi,
this was
pix platform running 6.3(x). What seems to have fixed the issue
was an
static for the inside host. Which I did not think I need since
there is a
default nat statement on my inside interface translating everything
to an
global address. Any thoughts?
Sean
________________________________
Be a better sports nut! Let your teams follow you with Yahoo
Mobile. Try it
now.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- [fw-wiz] static nat for inside returning traffic
- From: Shahin Ansari
- Re: [fw-wiz] static nat for inside returning traffic
- From: Robert Fenech
- [fw-wiz] static nat for inside returning traffic
- Prev by Date: Re: [fw-wiz] Firewalls that generate new packets..
- Next by Date: Re: [fw-wiz] Firewalls that generate new packets..
- Previous by thread: Re: [fw-wiz] static nat for inside returning traffic
- Next by thread: [fw-wiz] Firewalls that generate new packets..
- Index(es):
Relevant Pages
|
