I've had a total brain fade, and am unable to figure this out. Hoping you guys can help. Network topology is relatively simple. Firewall has three zones - outside, inside and DMZ - DMZ has a /25 of "real" Internet addresses on it. Outside has a /30, also of "real" address, and most traffic from inside is translated to the interface address of the outside zone. Inside if RFC1918 IPv4 addressing with multiple static routes to upstream networks. I need to NAT an IP address which is in our public space in our DMZ zone - call the address 1.1.1.123/32 - to a host which is inside my network - call it 10.10.10.10/32 - on a one-to-one basis - no port translations, nothing. BI-directional NAT - any packet coming in to 1.1.1.123 goes to 10.10.10.10, and any packet going OUT from 10.10.10.10 appears to be from 1.1.1.123 as far as the Internet is concerned. Thing is, I don't know if I can do this. I've put in two NAT rules - one translating anything going to 1.1.1.123 to 10.10.10.10, and one translating anything from 10.10.10.10 to 1.1.1.123 - but it's not working. I don't know if I'm screwing up the security policies related, or if what I'm asking can't be done. So, questions for guys who have done more NAT than I have 1. Is the NAT policy I want even possible? 2. Is the methodoligy I've described right? 3. What IP address/interface should I be applying security policies (inbound and outbound) on? The translated address? The untranslated address? Both? Can anyone shed some light for me, please? I'm scratching my head here. Thanks
... View more