outside PAT


the following scenario:

--- net1 --- PIX --- net2 | | net3

The Pix runs OS 7.2. Computers reside in net2 and communicate with the world via net1. In net3 are a few hosts. Security levels are from net1 (low) to net2 (higher) to net3 (highest). Traffic from net2 to net1 will be neither NATed nor PATed. From net2 to net3 there should be PAT. The computers in net2 should be able to access two servers in net3.

interface Ethernet0 nameif net1 security-level 0 ip address ! interface Ethernet1 nameif net2 security-level 90 ip address ! interface Ethernet5 nameif net3 security-level 95 ip address ! access-list test extended permit icmp any any log access-list test extended permit ip any any access-list test-in extended permit icmp any any log access-list test-in extended permit ip any any

nat-control global (net3) 1 nat (net2) 1 outside static (net2,net1) netmask access-group test-in in interface net2 access-group test out interface net3 route net1 1 route net3 1

So far the connections between net1 and net2 are working. But what is required to allow net2 to reach host in net3 with PAT?

Regards, Christoph Gartmann

Reply to
Christoph Gartmann
Loading thread data ...

Your security levels should follow nat. Usually you "nat" from high level to low level. From low to high you "static"ally open ports. So your security levels should be:

nameif net1 security-level 0

nameif net2 security-level 100

nameif net3 security-level 50

global (net3) 1 interface ! or pat-ip nat (net2) 1 static (net2,net1) netmask static (net2,net3) tcp interface 80 80 ! server1 port forward static (net2,net3) ! server2 (prevents PAT)


Reply to
Lutz Donnerhacke

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.