Re: Pix Outside NAT

---

• From: bitored2002@xxxxxxxxxxxx
• Date: 20 Sep 2005 16:18:33 -0700

---

Thanks Cen,

Does that mean if i have an outside int and a DMZ int both connecting
to the internet i can force some return traffic back out the DMZ
interface by nating? So that when the return traffic goes from in to
dmz it will route to the natted ip's (ie a pool of addresses from the
DMZ subnet) and then NAT and forward out teh DMZ int? I just want to
ensure that after natt'ing it doesnt do another route lookup and
forward out teh outside int (ie following the default route).

Thanks.



Cen wrote:
> NAT order of operation generally is as follows:
> From inside to outside, route first then NAT.
> From outside to inside, NAT first then route.
>
>
> <bitored2002@xxxxxxxxxxxx> wrote in message
> news:1127219129.544604.62240@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> > Hi,
> >
> > I have a pix that connects to 2 internet links. I want to split
> > different types traffic across the 2 links in each direction. Therefore
> > BGP can take care of the inbound path for traffic on the routers. So
> > for example i want inbound HTTP traffic on link 1 and email on link 2.
> > The problem is because of my default route the outbound email always
> > follows path 1.
> >
> > I have been thinking of puting the 2nd link on a separate interface on
> > the pix (curently both are reachable via the outside interface.) Then i
> > could NAT the source Public IP address on the 2nd link (inbound
> > direction) so that when my inside host replies it will reply to the NAT
> > address and follow the path out the 2nd internet link (via the new
> > interface on the pix).
> >
> > My question is when the nat function nats back to the real Public IP
> > will the pix then do a route look up and try to send it out via the
> > default gateway, ie the outside interface and thus still give me the
> > same result or will it route before NAT and then simply forward the
> > packet out my new interface as i would hope. I am unsure of when
> > exactly the routing happens with NAT.
> >
> > Thank you for any comments.
> >

.

---

• References:
  • Pix Outside NAT
    • From: bitored2002
  • Re: Pix Outside NAT
    • From: Cen

• Prev by Date: Re: Pix Outside NAT
• Next by Date: Re: 1711 - remove fixed WIC card?
• Previous by thread: Re: Pix Outside NAT
• Next by thread: combining c700 & c800 with CHAP
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: ISA 2006 - DMZ / SSH Server Zugriff ... von INTERN nach DMZ ist das Netzwerkverhaeltnis ROUTE oder NAT? ... DMZ - Route ... (microsoft.public.de.german.isaserver) Re: Keine Verbindung, Test via ICMP ... Die Beziehung zwischen Extern und DMZ muss auf Route stehen. ... Die Beziehung dmz => extern ist via NAT Konfiguriert, ... (microsoft.public.de.german.isaserver) Nat-In-A-Stick Problem ... Nat Router ... access-list 102 permit ip 192.168.100.0 0.0.0.255 any ... access-list 177 permit icmp any any ... ip route 0.0.0.0 0.0.0.0 ATM0 ... (comp.dcom.sys.cisco) Re: [fw-wiz] DMZ to INSIDE Communication ... Chris, you've confused the idea of a real IP vs a NAT IP. ... DMZ and inside networks. ... communication between the DMZ VLAN and the ... (Firewall-Wizards) Re: Linux v Dedicated NAT routers - secure remote differences ... > (the address assigned by my home dhcp server) ... assigned for the tunnel end-point. ... others hit the default route. ... If I were you I wouldn't worry too much about NAT being involved. ... (comp.security.firewalls)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)