Understanding outside NAT w/ NAT 0 (pix5153: 6.3(5))

Unanswered Question
Jan 31st, 2007

Hi,

I was trying to configure outside nat to allow a host on the dmz (FLSM) interface to telnet to a host on the inside interface. I gave up and called cisco tac. They were able to get it to work for me by combining a nat 0 command with outside nat. But I don't understand how this works. There's a good possiblity that I'll have to duplicate, troubleshoot or modify the configuration and I want to know how this works before I get into a situation where I'm making changes and not understanding their impact.

The main rule that I follow when tshooting/understanding the pix is that it goes:

Into the interface>ACL>NAT>Routing>out another interface.

It looks to me like:

1. traffic hits the FLSM interface

ACL

2. traffic passes the ACL (permit ip any any)

NAT

3. trafic from the FLSM interface to the inside is not being nat'd via the nat 0 command except for traffic to 192.168.3.3

3. the line "static (inside,FLSM) 192.168.3.3 192.168.3.3 netmask 255.255.255.255 0 0" lets the pix accept traffic for that ip on the FLSM interface

ROOUTE

4. the pix forwards the traffic out the inside interface to the real host 192.168.3.3

Even that doesn't quite seem to make sense.

Why is there a nat 0 command at all?

Why is 192.168.3.3 not not nat'd? (Not a typo.)

Where does the outside nat statement get applied "nat (FLSM) 2 192.168.110.0 255.255.255.0 outside 0 0"?

Here's the config:

515e# sh ru

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 FLSM security50

enable password xxx encrypted

passwd xxx encrypted

hostname 515e

domain-name net.internal

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list FLSM permit ip any any

access-list FLSM1 deny ip any host 192.168.3.3

access-list FLSM1 permit ip any 192.168.0.0 255.255.0.0

pager lines 200

logging on

logging timestamp

logging monitor debugging

no logging message 710005

mtu outside 1500

mtu inside 1500

mtu FLSM 1500

ip address outside dhcp setroute

ip address inside 192.168.5.20 255.255.0.0

ip address FLSM 192.168.110.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 2 interface

nat (FLSM) 0 access-list FLSM1

nat (FLSM) 1 192.168.110.0 255.255.255.0 0 0

nat (FLSM) 2 192.168.110.0 255.255.255.0 outside 0 0

static (inside,FLSM) 192.168.3.3 192.168.3.3 netmask 255.255.255.255 0 0

access-group FLSM in interface FLSM

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.0.0 255.255.0.0 inside

ssh 192.168.110.0 255.255.255.0 FLSM

ssh timeout 60

console timeout 0

dhcpd address 192.168.110.51-192.168.110.61 FLSM

dhcpd lease 692100

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable FLSM

terminal width 80

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 02/01/2007 - 01:01

Hi

Easy one first.

To allow traffic from a lower to a higher security interface you need an access-list and a static translation.

so

static (inside,FLSM) 192.168.3.3 192.168.3.3 netmask 255.255.255.255 0 0

is presenting the internal server 192.168.3.3 to the DMZ as 192.168.3.3. It's a peculiarity of the pix that even when you don't want to change the address you still have to set up NAT. With other vendor firewalls you don't need this.

The second bit is a bit more confusing. The nat (FLSM) 0 statement says do no translate the DMZ addresses to anything else. So within your network there must be a route back to the 192.168.110.0 DMZ network.

I agree that the nat FLSM 2 statement is confusing. What this is saying is tranlsate all the DMZ 192.168.110.0 addresses to the inside interface address when traffic comes from the DMZ to the inside.

I suspect the nat 0 is overriding this. Either should work as far as i can see.

HTH

Jon

Actions

This Discussion