01-31-2007 06:50 AM - edited 03-11-2019 02:26 AM
Hi,
I was trying to configure outside nat to allow a host on the dmz (FLSM) interface to telnet to a host on the inside interface. I gave up and called cisco tac. They were able to get it to work for me by combining a nat 0 command with outside nat. But I don't understand how this works. There's a good possiblity that I'll have to duplicate, troubleshoot or modify the configuration and I want to know how this works before I get into a situation where I'm making changes and not understanding their impact.
The main rule that I follow when tshooting/understanding the pix is that it goes:
Into the interface>ACL>NAT>Routing>out another interface.
It looks to me like:
1. traffic hits the FLSM interface
ACL
2. traffic passes the ACL (permit ip any any)
NAT
3. trafic from the FLSM interface to the inside is not being nat'd via the nat 0 command except for traffic to 192.168.3.3
3. the line "static (inside,FLSM) 192.168.3.3 192.168.3.3 netmask 255.255.255.255 0 0" lets the pix accept traffic for that ip on the FLSM interface
ROOUTE
4. the pix forwards the traffic out the inside interface to the real host 192.168.3.3
Even that doesn't quite seem to make sense.
Why is there a nat 0 command at all?
Why is 192.168.3.3 not not nat'd? (Not a typo.)
Where does the outside nat statement get applied "nat (FLSM) 2 192.168.110.0 255.255.255.0 outside 0 0"?
Here's the config:
515e# sh ru
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 FLSM security50
enable password xxx encrypted
passwd xxx encrypted
hostname 515e
domain-name net.internal
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list FLSM permit ip any any
access-list FLSM1 deny ip any host 192.168.3.3
access-list FLSM1 permit ip any 192.168.0.0 255.255.0.0
pager lines 200
logging on
logging timestamp
logging monitor debugging
no logging message 710005
mtu outside 1500
mtu inside 1500
mtu FLSM 1500
ip address outside dhcp setroute
ip address inside 192.168.5.20 255.255.0.0
ip address FLSM 192.168.110.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 2 interface
nat (FLSM) 0 access-list FLSM1
nat (FLSM) 1 192.168.110.0 255.255.255.0 0 0
nat (FLSM) 2 192.168.110.0 255.255.255.0 outside 0 0
static (inside,FLSM) 192.168.3.3 192.168.3.3 netmask 255.255.255.255 0 0
access-group FLSM in interface FLSM
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh 192.168.110.0 255.255.255.0 FLSM
ssh timeout 60
console timeout 0
dhcpd address 192.168.110.51-192.168.110.61 FLSM
dhcpd lease 692100
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable FLSM
terminal width 80
02-01-2007 01:01 AM
Hi
Easy one first.
To allow traffic from a lower to a higher security interface you need an access-list and a static translation.
so
static (inside,FLSM) 192.168.3.3 192.168.3.3 netmask 255.255.255.255 0 0
is presenting the internal server 192.168.3.3 to the DMZ as 192.168.3.3. It's a peculiarity of the pix that even when you don't want to change the address you still have to set up NAT. With other vendor firewalls you don't need this.
The second bit is a bit more confusing. The nat (FLSM) 0 statement says do no translate the DMZ addresses to anything else. So within your network there must be a route back to the 192.168.110.0 DMZ network.
I agree that the nat FLSM 2 statement is confusing. What this is saying is tranlsate all the DMZ 192.168.110.0 addresses to the inside interface address when traffic comes from the DMZ to the inside.
I suspect the nat 0 is overriding this. Either should work as far as i can see.
HTH
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: