PAT on the Outside of a PIX

We have a customer coming in through our firewall whose source IP addresses we want to change. We have a number of NATs in place changing our internal addresses as they go outbound, but this will be the first inbound change we do.

The customer will hit our outside interface with a source IP address in the range of We want them to show up on our network as (so we want to do PAT, really).

Below is the configuration I was considering:

nat (outside) 2 0 0 global (inside) 2 netmask

route outside 1 is the customer router abutting our outside interface of

I think this should work as detailed above, but my only concern is that if I turn on an outside -> inside NAT, does that break the normal Identity NAT process that normally would occur coming outside in? Or is there anything else conceivable that could get broken by this translation?

Thanks, Jason

Reply to
Loading thread data ...

Hi I have done thsi in Netscrren and not sure about PIX ... will tryin my lab and let you know ASAP.

But it should work

Reply to

It should work but the good syntax would be

nat (outside) 2 outside 0 0 global (inside) 2 netmask

ref: Cisco If this interface is on a lower security level than the interface you identify by the matching global statement,

then you must enter outside. This feature is called outside NAT or bidirectional NAT.

nat outside (Outside NAT) The nat outside option lets you enable or disable outside NAT, which translates the source address of a connection coming from a lower security interface to higher interface. This feature is also called bidirectional NAT.

If you enable outside dynamic NAT on an interface, then you must configure explicit NAT policy for all hosts on the interface that need to initiate connections to inside networks. If you want to translate some hosts, but not others, then use identity NAT or NAT exemption (nat 0 or nat 0 access-list) to disable address translation for these additional hosts.

The norandomseq and emb_limit options are not supported with outside NAT.

Reply to

Thanks for the in depth reply. I'll have to make sure to identity NAT all other addresses so as not to break that connectivity.


Reply to
jseemann Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.