Dynamic Outside Translation|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by Darren Green on October 17, 2005, 4:29 pm
Please log in for more thread options
It relates to the above. In brief the outside network is 172.26.26.0 /24 the inside network is 10.0.0.0 /24. The example allows hosts on the outside network to access the FTP server on the LAN at 10.0.2.2 which sites behind another router on the inside of the PIX. The book states that Dynamic outside translations simplify the routing on the network below i.e router on 10.0.2.0 wouldn't need route to 172.26.26.0 because of NAT - which I can understand. So: outside router --------PIX----------Inside Router-------------Inside Router-------------------FTP server 172.26.26.0 10.0.0.0 10.0.1.0 10.0.2.0 10.0.2.2 commands are: nat (outside) 1 172.26.26.0 255.255.255.0 outside global (inside) 1 10.0.0.20-10.0.0.254 netmask 255.255.255.0 static (inside, outside) 10.0.2.2 10.0.2.2 access-list ACLIN permit tcp 172.26.26.0 255.255.255.0 host 10.0.2.2 eq ftp access-group ACLIN in interface outside I built this in a lab earlier and know that it works but I don't understand why I need the static (inside, outside) 10.0.2.2 10.0.2.2 translation. Regards Darren | |||||||||||||
|
Posted by Walter Roberson on October 17, 2005, 5:02 pm
Please log in for more thread options :In brief the outside network is 172.26.26.0 /24 the :inside network is 10.0.0.0 /24. The example allows hosts on the outside :network to access the FTP server on the LAN at 10.0.2.2 which sites behind :another router on the inside of the PIX. :nat (outside) 1 172.26.26.0 255.255.255.0 outside :global (inside) 1 10.0.0.20-10.0.0.254 netmask 255.255.255.0 :static (inside, outside) 10.0.2.2 10.0.2.2 :access-list ACLIN permit tcp 172.26.26.0 255.255.255.0 host 10.0.2.2 eq ftp :access-group ACLIN in interface outside :I built this in a lab earlier and know that it works but I don't understand :why I need the static (inside, outside) 10.0.2.2 10.0.2.2 translation. The 'static' command enables outside systems to initiate connections to inside systems, provided that the connection is permitted by the ACL. In this particular case, it tells the PIX that it needs to listen for packets addressed to 10.0.2.2; without the 'static' command, the PIX would not listen for those packets, and so the packets addressed to that IP would not even make it as far as the access-list. But in your commands, inside and outside have been reversed. When the outside network is 172.26.26/24 then the outside IP of the PIX needs to be in 172.26.26/24, and that would correspond to 'static' and 'global' commands that show 172.26.26 addresses, and to a 'nat' command that has 10.0.2.* addresses. -- I am spammed, therefore I am. | |||||||||||||
| Similar Threads | Posted |
| Dynamic Outside Translation | October 17, 2005, 4:29 pm |
| VPN between peers with dynamic IP address and dynamic DNS | February 4, 2008, 12:28 pm |
| Nat Translation | June 2, 2006, 1:56 pm |
| Re: VPN with NAT translation | June 24, 2005, 10:48 am |
| IP translation - It's possible? | May 8, 2007, 4:53 pm |
| PIX translation | November 21, 2007, 2:06 am |
| Using Cisco PIX without translation? | November 9, 2005, 1:35 am |
| T1/ethernet translation | August 9, 2006, 10:02 am |
| Static Translation | September 16, 2006, 2:28 pm |
| translation rule | February 9, 2007, 10:51 am |
| PIX 535 firewall translation | January 26, 2008, 10:29 pm |
| Translation between router | July 14, 2008, 11:08 am |
| Cisco PIX NAT Translation | August 8, 2008, 3:25 am |
| voice translation problem | July 22, 2005, 6:07 am |
| Port translation with PIX 506E | January 23, 2006, 9:10 pm |
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |