NAT the Outside network with PIX firewall

Posted on 2004-03-31
Medium Priority
Last Modified: 2013-11-16
Is it possible to NAT an Outside IP address on the internet to a single Inside IP address on my corporate LAN?

I have an application in my corporate network, which I would like to make available to an external party on the Internet. This application is configured to accept only connections from a specific IP Addresses (like an ACL).

The external party is using an ADSL modem which obtains a random IP Address assigned by the ISP. Therefore, I would like to use NAT on the outside (Internet), to give it a fixed IP Address on the inside on my corporate network.

Is this possible? If yes, what commands do I use to configure it?

Also, please advise if there is any danger in doing so, or what are my alternatives.
Question by:wlseet
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2

Expert Comment

ID: 10729375
You will be setting up a static nat assignment and they can either direction.  You will need set either a conduit or ACL to allow the proper port to be presented to the outside world.  Is this an application that you be sure that the rest of the world won't bang on?  If it's sensitive enough to worry about, then consider setting up some sort of authentication or authorization schemes before allowing it's use.  You can use local accounts set up on the PIX or TACACS+/RADIUS accounts to prevent unintended use.  That frees you up from thinking about access restrictions based on IP addressing.

Here's the basics of the static NAT logic

1.  The ACL applied to your outside IF needs to include whatever ports this application needs:
access-list outside-ingress permit tcp any host <<OUTSIDEIP>> eq https

2. This is the static address assignment:
static (inside,outside) OUTSIDEIP INSIDEIP netmask 0 0

3. This is the access-list applied to yout outside IF:
access-group outside-ingress in interface outside

If you want to add AAA and you already have some kind of RADIUS running, it's a breeze to add a few special user account and rules to support this.



Author Comment

ID: 10729453
By design, the application is coded to accept connections from a specific IP Address.

Since the IP Address from the Internet is random, they cannot access the application unless their IP Address has been defined in the application.

Therefore, I need the IP Address from the Internet, to be translated to an internal IP Address, which is fixed to only 1 internal IP Address for easy maintenance on my application.

How do I do that?

Expert Comment

ID: 10730368
Your question was:  Is it possible to NAT an Outside IP address on the internet to a single Inside IP address on my corporate LAN?  - The key word being "an", as in a single Outside IP address.

Now you're saying that you want to NAT any Internet address to a single address to present on your LAN.  You know that's about the most backwards implementation you could configure all for "easy" maintenance?

I don't know if the PIX can globally present all Internet addresses through a single internal address, because that would break all other outbound traffic.

You're trying too hard to use IP addresses to create a security configuration.  You need to get over it.  If it's that important to restrict addresses, then have your client come through a VPN tunnel and assign them an internal LAN address.
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users


Expert Comment

ID: 10732178
ccallison explained it fine so i'm not going to reinvent the wheel, but i don't suggest forwarding a whole ext. IP to a whole internal IP....why?

1) hack into that machine and your on the whole network
2) i'm gonna bet it's a windows machine, and thats just asking for trouble
3) figure out what ports it runs on and forward those...

heres my suggestion:

Setup SSH (i love it) on a machine, forward one port (udp/22 i believe) and have them ssh in....right there you can setup port forwarding, and it will look like it's coming from internal....it's also VERY secure
LVL 11

Accepted Solution

billwharton earned 2000 total points
ID: 10734242

I have only read your question and not the other comments in this post. However, I understand your requirements and you are trying to achieve a simple case of BI-directional NAT. What is different about your case is that you need to NAT an dynamic IP(DSL) to an inside IP. Since it is an unknown IP, I suggest these steps:

- Find out what the current IP address of your DSL client is and see what it changes to in a couple of days. Usually, it would change in the same subnet or a very close subnet. Hence, you would be able to calculate a subnet and network mask and if anybody else from this subnet mask tries to access this server, he would be able to get in. That's the security risk though I assume you are also using password authentication on the server.

These statements are to be used:

The dynamic DSL network is after a few days of observation.
Server IP is & is only accepting requests from IP:
You have applied access-list 101 on your outside interface

Needed Statements
global (inside) 5
nat (outside) 5

access-list 101 permit ip host
Or you could limit it to a particular port:
access-list 101 permit tcp/udp host eq (port number)

In case all of this is very confusing, kindly send me your current IP's and your PIX configuration and I would be glad to give you accurate statements which you would simply copy/paste.

As far as security goes, you have to weigh the risks with the benefits. This solution is not your everyday solution but I have seen it implemeneted in difficult situations like thsi.

Thank you


Expert Comment

ID: 10736610
If you're not willing to do a vpn solution, then the ssh idea has merit.  Even NAT'ing the ISP's subnet from which your client MIGHT be coming from is a fuzzy solution.  You may break other traffic patterns unintentionally.  It's like installing a peephole on your front door the wrong direction....
LVL 23

Expert Comment

by:Tim Holman
ID: 10752507
I would setup the remote ADSL site with a PIX or Cisco router, and then setup a dynamic VPN from that site to your central site, authenticated by a pre-shared secret known only to you, or better still, a certificate.
That way, it doesn't matter that the address is variable, as the VPN is created based on the authentication alone.

If cost is an issue, set the remote ADSL site up with a VPN Client, so that they can access the application.

..and remember, security based on whether or not a user is behind a specific IP address or not is NOT the way to go.  IP addresses can be spoofed, other users could use his connection, etc etc.

Think about authenticating the user properly.  Maybe even some form of two-factor authenticaiton - RSA SecuID or Alladin e-token.

Author Comment

ID: 10764620
I would say that billwharton hit it spot on.
Sorry for the delay, I've been out of reach for a couple of days after the weekend.

I tried the suggestion by billwharton. As my internal IP addresses are not registered IP addresses, I used the static command to give it an "outside" IP address, so that it can be reached.

static (inside,outside) w.x.y.z

where w.x.y.z is the registered IP address I have.

Is this correct?
I assume so, cause it works.

As for security, the application not only accepts connection from a pre-defined IP, it also prompts for authentication (username/password).

I'm awarding full points to billwharton.
Thanks to everyone for their contribution.

LVL 11

Expert Comment

ID: 10764999

I am glad you resolved the problem.

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question