Outside dynamic NAT use command nat, and commnad static for outside static mapping.
Outside NAT just replace outside source address to inside source address. You can do many to small(nat), or many to one (PAT) , and one-to-one (using static command).
If you enable outside dynamic NAT on an interface, then you must configure explicit NAT policy for all hosts on the interface that need to initiate connections to inside networks. If you want to translate some hosts, but not others, then use identity NAT or NAT exemption (nat 0 or nat 0 access-list) to disable address translation for these additional hosts. This is mostly forgotten thing.... In inside NAT, because inside usually only has one or small subnet and will all do NAT. But for outside, it is INTERNET which include a lot networks..
To enable DNS doctoring in this environment, web server TWeb and client PC inside, DNS outside. When inside client want to access the web server, we can configure
static (outside,inside) TWeb 67.19.10.1 dns netmask 255.255.255.255 0 0
so the DNS will be rewritten to inside IP instead of Internet IP.
Notes: this translation is happend on inside interface, remember when proxy arp is enabled in inside interface, the PIX will proxy the TWeb(global, static and nat 0 setting, refer to article "PIX proxy arp caused weird problem" on Dec 2, 2005 ) when inside PC try to access TWeb(the inside PC arp result will be wrong), that will cause connection problem. So remember to disable proxy arp on inside interface!!!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment