[c-nsp] PIX questions
Michael K. Smith - Adhost
mksmith at adhost.com
Mon May 12 19:39:07 EDT 2008
Hello Gregori:
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Gregori Parker
> Sent: Monday, May 12, 2008 10:35 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] PIX questions
>
> I was hoping to see an answer to this, as I ran into what I believe to
> be a similar situation a while back.
>
> We had an ASA at an edge, with several static identity NATs, e.g.:
>
> static (inside,outside) x.x.x.78 172.16.8.44 netmask
> 255.255.255.255
> static (inside,outside) x.x.x.79 172.16.8.45 netmask
> 255.255.255.255
> ...
>
> Where x.x.x.* are public addresses, and an access-list allows specific
> services from anywhere to each public NAT. All outgoing traffic is
> PATed to the interface address, say x.x.x.80, and I'm not clear on how
> to enable a host on the inside to communicate with an identity NAT on
> the outside...essentially the ASA would be doubling up on translations,
> one outgoing, to one inbound...looping back to itself so-to-speak. It
> doesn't work, and I understand why, but I've wondered if there's a way
> to enable this (other than having the hosts communicate directly).
> I've
> looked at things like permitting same-security-traffic
> inter/intra-interface to no avail.
>
> Thanks in advance (and sorry if I woke a dead thread)
>
The only way I've seen it work is to give both the source and destination a static NAT. The PAT'd to static doesn't work while the static to static does.
Regards,
Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080512/4e1c6091/attachment.bin
More information about the cisco-nsp
mailing list