Cisco Pix 6.3 inbound access without "statics"

Answered Question
May 8th, 2007
User Badges:

Having some difficulties with a pix 6.3

facing the task to provide inbound onnections from lower security interfaces to several network segments behind the Pix's inside interface.


I'm not sure what my options are to provide translations for inbound connections without using static nat entries for every network.

Have read several posts overhere discussing the no nat-control feature, however as far as i know this is only applicable to Pix 7.


Also tried using "Nat 0 access-list #" configurations but seems this won't eliminate the need to provide specific static entries for inside networks.


Many Thanks for sharing your thoughts.



Correct Answer by vitripat about 10 years 1 month ago

Yes, this would allow inbound connections also, becuase nat exemtion or nat 0 with access-list is bidirectional like your static commands.


Regards,

Vibhor.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
vitripat Tue, 05/08/2007 - 12:03
User Badges:
  • Gold, 750 points or more

You should be able to provide inbound access to internal networks without using static commands if following set of commands are used-


access-list nonat permit ip any any

nat (inside) 0 access-list nonat


access-list 101 permit ip any any

access-group 101 in interface outside


These ACLs are currently opening IP access, so you may tighten this based on your requirements. Keep in mind that we are not translating internal networks to any different IP addresses, hence, outside hosts will use the real IP address of internal hosts to make inbound connections through PIX. Also, you will not see any translation entry in "show xlate" output.


Hope this helps.


Regards,

Vibhor.

Jon Marshall Tue, 05/08/2007 - 12:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Vibor


Does this still apply if the connection is being made from the outside in ie the connection is initiated from the outside.


I can see how your commands above would allow internal clients not to be natted when they initiate connections out but not how the commands would allow connections to be initiated from outside to in.


Jon

Correct Answer
vitripat Tue, 05/08/2007 - 12:51
User Badges:
  • Gold, 750 points or more

Yes, this would allow inbound connections also, becuase nat exemtion or nat 0 with access-list is bidirectional like your static commands.


Regards,

Vibhor.

dkrijgsman Tue, 05/08/2007 - 13:01
User Badges:

Hi Vibhor,


Hmmz, than i made the wrong assumptions, cause i was asking myself the same question as Jon. I did use a nat 0 access-list configuration, but i've put it on the outside interface, like:


nat (outside) 0 access-list test

access-list test permit ip any any


So i'll try to configure it on the inside and will test again. I've Tightened security with access-lists on all interfaces, so security after translation/exemption has been taken care off.


Thanks so far

dkrijgsman Tue, 05/08/2007 - 13:29
User Badges:

Vibhor,


I've also found these explanations within the command reference:


http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1163222 is stating:


The following example shows use of the nat 0 access-list command (NAT exemption) to permit internal host 10.1.1.15, which is accessible through the inside interface, to bypass NAT when connecting to outside host 10.2.1.3.


access-list no-nat permit ip host 10.1.1.15 host 10.2.1.3

nat (inside) 0 access-list no-nat



The following commands use NAT exemption on a PIX Firewall with three interfaces:


access-list all-ip-packet permit ip 0 0 0 0

nat (dmz) 0 access-list all-ip-packet

nat (inside) 0 access-list all-ip-packet


Would seem to me Jon has a point afterall. Let me test to verify things :-).

Jon Marshall Tue, 05/08/2007 - 22:51
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


No i don't have a point and Vibhor is spot on. I have just tested this in our lab and using Vibhor's commands it works as he stated.


Many thanks Vibhor, i have been using Pix firewalls for a few years now and was not aware that this command was bi-directional. You live and learn !


Jon

dkrijgsman Wed, 05/09/2007 - 00:17
User Badges:

Jon,


Thanks for verifying things.

Vibhor thanks for your great help


Dennis

jahangeer_abdul Fri, 05/11/2007 - 04:47
User Badges:

Hi,


Kindly Indicate for below scenario, Static necessary or not for Inbound Conncetion.


I am not able to access my Inside Server.


nameif ethernet0 outside security0


nameif ethernet1 inside security100


ip address outside 192.168.1.3 255.255.255.0


ip address inside 3.142.125.2 255.255.0.0


access-list no_nat_inside permit ip any any


access-list outside_acl permit icmp any any


access-list outside_acl permit ip 192.168.1.0 255.255.255.0 host 192.168.1.102


access-list inside_acl permit icmp any any


access-list inside_acl permit ip 3.142.0.0 255.255.0.0 192.168.1.0 255.255.255.0


nat (inside) 0 access-list no_nat_inside


static (inside,outside) 192.168.1.102 3.142.125.10 netmask 255.255.255.255 0 0


access-group outside_acl in interface outside


access-group inside_acl in interface inside



Actions

This Discussion