Starting from PIX6.2, NAT and PAT can be applied to external traffic and traffic from low-security interfaces to high-security interfaces. This function is also called bi-directionalNAT )". The external NATPAT is the same as the internal NATPAT, but it is applied to the PIX external or low-security interface. Dynamic configuration available
Starting from PIX 6.2, NAT and PAT can be applied to external traffic and traffic from low-security interfaces to high-security interfaces. This function is also called bi-directional NAT )". External NAT/PAT is the same as internal NAT/PAT, but it is applied to the PIX external or low-security interface. Dynamic Configuration
NAT and PAT can be appliedExternalTraffic and traffic from low-security interfaces to high-security interfaces. This function is also called"BidirectionalNAT (bi-directional NAT )".ExternalNAT/PAT is the same as internal NAT/PAT, but is applied to the PIXExternalOr a low-security interface. Dynamic ConfigurationExternalNAT: configure the address on a low-security interfaceConversionTo configure the global address or address pool on the high-security interface. You can also use the static command to specify a one-to-one ing.ExternalAfter the NAT configuration is complete, when a packet arrives atExternalOr a low-security interface, the PIX will try to locate an existing xlate (AddressConversion). If no xlate exists, the PIX searches for the NAT policy in the configuration. After the NAT policy is found, an xlate is created and inserted into the connection information database. The PIX then uses static ing or the address in the global address pool to overwrite the source address of the data packet and forward it to the internal interface. Once xlate is created, data packets will be quickly forwarded using this entry.
Next we will proceedExternalNAT sample configuration.
9.1 Network Topology
In this example, we will implement the following intent:
L 10.100.1.2 go outConversion209.165.202.135
L when entering 209.165.202.129Conversion10.100.1.3
L 10.100.1.0/24ConversionIs 209.165.202.140-209.165.202.141
L The connection from 209.165.202.129 to 10.100.1.2 appears to be 209.165.202.129 to 209.165.202.135. At the same time, 10.100.1.2 regards data from 209.165.202.129 as from 10.100.1.3 (becauseExternalNATConversion).
We will allow access to all devices within 209.165.202.0/24 using ACL or conducting it.
9.2ExternalNAT configuration
The following is the configuration of the Outside NAT section in the PIX.
-10-
Ip address outside 209.165.202.130 too many bytes
Ip address inside 10.100.1.1 255.255.255.0
Global (outside) 5 209.165.202.140-209.165.202.141 netmask has been released successfully
Nat (inside) 5 10.100.1.0 255.255.255.0 0 0
Static (inside, outside) 209.165.202.135 10.100.1.2 netmask 255.255.255.255 0 0
Static (outside, inside) 10.100.1.3 209.165.202.129 netmask 255.255.255.255 0 0
Conducting it permit ip 209.165.202.0 255.255.255.0 209.165.202.0 255.255.255.0
! --- Alternatively, you can use an ACL to replace it, but remember that static commands are required.
Access-list 101 permit ip 209.165.202.0 255.255.255.0 209.165.202.0 255.255.255.0
Access-group 101 in interface outside
Outside NAT
Starting with PIX 6.2, NAT and PAT can be applied to traffic from an outside, or less secure, interface to an inside (more secure) interface. this is sometimes referred to as "bi-directional NAT."
Outside NAT/PAT is similar to inside NAT/PAT, but the address translation is applied to addresses of hosts residing on the outer (less secure) interfaces of the PIX. to configure dynamic outside NAT, specify the addresses to be translated on the less secure interface and specify the global address or addresses on the inside (more secure) interface. to configure static outside NAT, use the static command to specify the one-to-one mapping.
After outside NAT is configured, when a packet arrives at the outer (less secure) interface of the PIX, the PIX attempts to locate an existing xlate (address translation entry) in the connections database. if no xlate exists, it searches the NAT policy from the running configuration. if a NAT policy is located, an xlate is created and inserted into the database. the PIX then rewrites the source address to the mapped or global address and transmits the packet on the inside interface. once the xlate is established, the addresses of any subsequent packets can be quickly translated by consulting the entries in the connections database.
Network dimo-outside NAT
In the example, we wanted the following.
Device 10.100.1.2 to NAT to 209.165.202.135 when going out
Device 209.165.202.129 to NAT to 10.100.1.3 when coming in
Other devices on the 10.100.1.x network to NAT to addresses in the 209.165.202.140-209.165.202.141 pool when going out
Connectivity from device offline to device 10.100.1.2 with device 209.165.202.129 seeing the inside device as 209.165.202.135 and device 10.100.1.2 seeing traffic from connecting as coming from 10.100.1.3 (because of the outside NAT)
We are permitting access to all 209.165.202.x devices using ACLs or conduits.
Partial PIX Configuration-Outside NAT
Partial PIX Configuration-Outside NAT |
ip address outside 209.165.202.130 255.255.255.224ip address inside 10.100.1.1 255.255.255.0global (outside) 5 209.165.202.140-209.165.202.141 netmask 255.255.255.224nat (inside) 5 10.100.1.0 255.255.255.0 0 0static (inside,outside) 209.165.202.135 10.100.1.2 netmask 255.255.255.255 0 0static (outside,inside) 10.100.1.3 209.165.202.129 netmask 255.255.255.255 0 0conduit permit ip 209.165.202.0 255.255.255.0 209.165.202.0 255.255.255.0!--- Or in lieu of conduits, we leave the static statements but have the following. access-list 101 permit ip 209.165.202.0 255.255.255.0 209.165.202.0 255.255.255.0access-group 101 in interface outside |