03-02-2007 09:04 AM - edited 03-11-2019 02:40 AM
I'm having an issue working with a PIX 7.0 that has lots of history. There is a ton of entries like below:
static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
I'm trying to make one ip address on that subnet come out as the firewall external IP. I have the global (outside) 1 interface set up with the nat (inside) 1 192.168.1.5. This doesn't work unless I pull out the static entry for the entire subnet.
The main problem I'm having is for some reasos when I pull out the static that has the subnet. Without the static entry the subnet comes out with an address other than itself. What does the PIX do for an address that doesn't have a static or global entry set up?
Solved! Go to Solution.
03-02-2007 10:06 AM
It would also need to be there if you had something like
global (outside) 1 x.x.x.x
nat (inside) 1 0.0.0.0 0.0.0.0
and you did not want 192.168.1.0 to be PAT'ed to x.x.x.x
Hope that makes sense, I don't know enough about your environment to know whether it is needed or not.
03-02-2007 09:28 AM
Your problem is with nat order of operations. The static for the 192 subnet takes precedence over your regular nat for 192.168.1.5.
1. nat exemption
2. static nat
3. static pat
4. policy nat
5. regular nat
03-02-2007 09:30 AM
So why is it when I pull the static for the entire subnet they come out nat'd to something else?
03-02-2007 09:38 AM
What is the address?
It is NATing somewhere, if it's not in the static, it could be 3-5 mentioned above. Find the address in your config and you will know where.
03-02-2007 09:40 AM
I guess a better question would be: why would you put in a static entry for an address to NAT the address it already has? Shouldn't it already do this without that entry?
03-02-2007 09:46 AM
not sure I follow anymore
03-02-2007 09:48 AM
sorry...
static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
What is the purpose of an entry like that? Shouldn't anything on the 192.168.1.0 come out with it's real address even without that entry?
03-02-2007 09:54 AM
not if you have nat-control enabled
The nat-control command on the PIX specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global, or a static statement) for that traffic to pass through the firewall.
03-02-2007 09:56 AM
none in the running config
03-02-2007 10:06 AM
It would also need to be there if you had something like
global (outside) 1 x.x.x.x
nat (inside) 1 0.0.0.0 0.0.0.0
and you did not want 192.168.1.0 to be PAT'ed to x.x.x.x
Hope that makes sense, I don't know enough about your environment to know whether it is needed or not.
03-02-2007 10:16 AM
That's actually what the problem was I just found it 10 minutes ago. You've been a great help acomiskey thanks a ton :)
03-02-2007 10:19 AM
no prob, please rate if it helped.
03-20-2013 07:52 AM
Hi guys,
I reopen this thread as it's close to my scenario.
I got a 7.2 IOS version ASA that has nat-control enabled and I have this config:
static (intranet,outside) 192.168.0.5 192.168.0.5 netmask 255.255.255.255
Here is the rest of the config, that might be important:
interface Ethernet0/2
nameif intranet
security-level 100
ip address 192.168.0.1 255.255.254.0
nat (intranet) 0 access-list no_nat_intranet
nat (intranet) 1 access-list nat_users
global (dmz) 1 80.B.C.D
access-list nat_users line 1 extended permit ip 192.168.0.0 255.255.255.128 any
And here I got the pin:
access-list no_nat_intranet line 1 extended permit ip 192.168.0.0 255.255.254.0 192.168.10.0 255.255.255.0
access-list no_nat_intranet line 2 extended permit ip host 192.168.0.183 any
access-list no_nat_intranet line 3 extended permit ip host 192.168.0.5 any
What does this statement "states"? Can anyone kindly detail it?
And why is it necessary to exempt it again in NAT_Exempt statement?
03-20-2013 08:06 AM
Hi,
Well it seems you have 2 configurations for the host 192.168.0.5
The "static" configuration line is a Identity NAT that basically states that the address isnt translated when its accessing networks behind "outside" interface which doesnt make much sense since its private IP address. (Unless you have some other device doing NAT infront of the firewall)
The "nat (intranet) 0" and one of its ACLs line basically states that when the host 192.168.0.5 tries to connect to "any" host on any interface, it shouldnt be NATed.
The "static" line only applies between "intranet" and "outside" WHILE the "nat (intranet) 0" applies between "intranet" and "any"
So I would have to guess that the NAT0 rules reason for being there is to prevent NAT from being done to this host 192.168.0.5 no matter where it connects through this firewall.
- Jouni
03-20-2013 08:35 AM
Thanks mate!
Basically this means, I can remove the static NAT statement, as it is covered by the nat 0 ACL.
Next, if I disable nat-control on the running config, firewall being used in production do you think it can cause any traffic disruption?
From what I read, it wouldn't make sense. Trouble might arise when enabling it (nat-control) if config lacks of some inside-to-outside nat statements. Am I right on this judgement?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: