PIX outside NAT (inbound PAT)

[peter2002]

Hi

For some reasons I want the IP addresses coming from the Internet to hide behind an internal IP address (=PAT for INBOUND traffic). Cisco calls it "outside NAT".
One reason for this configuration is that I'm having more than one firewall (one is for mail, the other is for internet traffic). If I'm able to do inbound PAT, the answer packets will be rerouted to the original firewall, otherwise the packets go to the default gateway and the session may not be established.
Has anyone done this before? I used to do it with Netscreen, Fortinet, Checkpoint etc. but I don't find any help on cisco's CCO.

I appreciate any help, thanks!!!

 

[criticalUpdate]

have you tried something to the effect of...

nat 1 (outside) 0.0.0.0 255.255.255.255
global 1 (inside) -> to some internal address

and then you would need to add some access list to allow incoming traffic.

IT should work, the only difference being that you would need an access rule.

Jeff

 

[peter2002]

Hi Jeff

Thank you for your help. I have tried this before, it was working, but the side effect was that inside people couldn't reach the internet anymore (error message 305005: No translation group found for icmp src inside:192.168.10.1 dst outside:195.186.1.110 (type 8, code 0)

global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
global (inside) 2 192.168.10.250
nat (outside) 2 0.0.0.0 0.0.0.0 outside

etc.

I'm having a similiar problem with a site which is connected via VPN. I want to hide there ip addresses (for instance 192.168.20.0/24) behind an internal address 192.168.10.240 (pool would also be possible), but can't find any solutions for this.
Any ideas?

Thanks, Peter

 

[criticalUpdate]

do you have another IP address that you could use for the global instead of interface? I'm not sure that would work but I think it would be a good test.

Jeff

 

[peter2002]

Yes, I tried also different IP addresses for PAT (different from the interface IPs), but didn't change anything.

Peter