Help....Mixed up with NAT Translations

Unanswered Question
May 28th, 2007

Hi All,

Im new here.... i have CCNA knowledge and im rather new to firewalls.

My new workplace has a 515 installed, so i started reading about PIXs to see whats going on !!!

in the configuration i have 'nherited' i have the following lines about NAT

global (outside) 1 interface

global (DMZ-Database) 1 interface

global (DMZ-App) 1 interface

nat (inside) 0 access-list IN-OUT-NONAT

nat (DMZ-Database) 0 access-list DMZ-DAT-NONAT

nat (DMZ-App) 0 access-list DMZ-APP-NONAT

From studying i realize that whoever did the conifuration used the NAT command and the identifier (0) to specify that he DOES NOT WANT NAT Translation ...RIGHT ???

Now, in his GLOBAL commands he specifies the outbound interfaces that have to use the interface IP Address ??? Am I correct ???

If i am correct in both cases then isnt this a clashing issue...

he first specifies that he does not wish any NAT translations, and then he specifies that the outbound traffic to (outside), (DMZ-Database),(DMZ-App) must use that interface's IP Address !!!!

Am i missing something here ???

Please note that all the access-lists which are used int eh NAT commands all specify PERMIT IP ANY ANY !!!!

Thanks in advance,

George

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
zulqurnain Tue, 05/29/2007 - 00:45

for your question:

1. Yes u r correct the ip address used will be of the 1 interface.

on the other hand for your query:

the last admin from whom you inherited wanted:

1. to not to preform any natting / translation on traffic moving from inside to DMZ's.

2. but to perform natting translation on traffic moving from inside or DMZ's to outisde.

hence looking at the configuration, traffic moving between inside and DMZ's will not be natted at all, but traffic moving outside from inside or from DMZ's to outside will be natted taking the 1 interface ip address.

HTH, please rate it

jean.l.pierre Tue, 05/29/2007 - 02:25

Hi!

I think in order to know if tha traffic is beeing natted or not, you have to paste here the 3 ACLS configured on the NAT statements.

Regards,

JP

g-serghiou Tue, 05/29/2007 - 02:31

ok, here they are:

access-list outside extended permit ip any any

access-list IN-OUT-NONAT extended permit ip 10.154.11.0 255.255.255.0 10.154.0.0

255.255.0.0

access-list IN-OUT-NONAT extended permit ip 10.154.11.0 255.255.255.0 10.189.0.0

255.255.0.0

access-list DMZ-APP-NONAT extended permit ip 10.154.32.0 255.255.255.0 10.154.0.

0 255.255.0.0

access-list DMZ-DAT-NONAT extended permit ip 10.154.42.0 255.255.255.0 10.154.0.

0 255.255.0.0

access-list DMZ-1 extended permit ip any any

access-list DMZ-2 extended permit ip any any

access-list INSIDE extended permit ip any any

I got the reply previously that NAT(PAT) only happens when talking via the outside interface (EDITED: or more correctly, not using NAT for any ip address not specified in the Access-lists in the NAT statements)!!!

i think what confuses me is the usage of (0) in NAT to specify that no NAT is wanted, and then the (1) in GLOBAL command... what is the actual meaning of these numbers-identifiers and what is their exact relation ????

i had the impression, from reading books on PIX configuration that these numbers go hand-in-hand....obviously they don't ???

Thanks,

George

acomiskey Tue, 05/29/2007 - 04:50

The numbers are related in global and nat statements.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

jean.l.pierre Tue, 05/29/2007 - 05:23

Hi!

They are related (global and nat identifiers). The only exception is the NAT 0.

Can you paste here the configuration of the PIX interfaces?

Thanks,

JP

g-serghiou Tue, 05/29/2007 - 20:33

Hi JP.

Here is thh config of the Firewall !!!

im just puzzled as to when u can use different numbers(identifiers) for NAT and GLOBAL. Does't the Global identifier need to be specified in a NAT statement !!!! Should the configuration have a NAT with id 1 in addition to 0, so that traffic within DMZs does not get NATed, and to be NATed when going to oustide ????

anyway, here is the config. also you can see that they are using a firewall....but they pemit ALL on all !!! EVEN FROM OUTSIDE !!!! :)

PIX Version 7.2(2)

!

PIX-515

enable password mF9rSbz4w8A4m2vX encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 10.154.10.1 255.255.255.252

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.154.11.250 255.255.255.0

!

interface Ethernet2

nameif DMZ-App

security-level 100

ip address 10.154.32.250 255.255.255.0

!

interface Ethernet3

nameif DMZ-Database

security-level 100

ip address 10.154.42.250 255.255.255.0

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

passwd qNgaqi5tLET5t2io encrypted

ftp mode passive

same-security-traffic permit inter-interface

access-list outside extended permit ip any any

access-list IN-OUT-NONAT extended permit ip 10.154.11.0 255.255.255.0 10.154.0.0

255.255.0.0

access-list IN-OUT-NONAT extended permit ip 10.154.11.0 255.255.255.0 10.189.0.0

255.255.0.0

access-list DMZ-APP-NONAT extended permit ip 10.154.32.0 255.255.255.0 10.154.0.

0 255.255.0.0

access-list DMZ-DAT-NONAT extended permit ip 10.154.42.0 255.255.255.0 10.154.0.

0 255.255.0.0

access-list DMZ-1 extended permit ip any any

access-list DMZ-2 extended permit ip any any

access-list INSIDE extended permit ip any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ-Database 1500

mtu DMZ-App 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

icmp permit any DMZ-Database

icmp permit any DMZ-App

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (DMZ-Database) 1 interface

global (DMZ-App) 1 interface

nat (inside) 0 access-list IN-OUT-NONAT

nat (DMZ-Database) 0 access-list DMZ-DAT-NONAT

nat (DMZ-App) 0 access-list DMZ-APP-NONAT

access-group outside in interface outside

access-group INSIDE in interface inside

access-group DMZ-2 in interface DMZ-Database

access-group DMZ-1 in interface DMZ-App

route outside 0.0.0.0 0.0.0.0 10.154.10.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.154.11.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

!

!

prompt hostname context

Cryptochecksum:7e3d13100e0bab468be7323ac1d13c29

: end

PIX-515# exit

Logoff

zroth Wed, 05/30/2007 - 02:08

Hi,

nat with identifier 0 does not translate at

all.It is mostly used for IPSec tunnel LAN

to LAN (but not allways).It means that all

IP addresses defined with nat 0 are not translated to any interface.

Therefore in your configuration can not

translation work.

If you want translate,you must first define,

what to translate.For instance in your case

the command nat (inside) 1 10.154.11.100 255.255.255.255 translates this IP address

on the outside interface,and the translated IP address would be that of the outside interface.The same for other interfaces,where global ( ) 1 is configured.Beware,the nat 0 command has higher priority!!!It means,if you want to go to the addresses defined in access-list IN-OUT-NONAT,no translation comes into effect.

Hope it helps a little.

Zdenek

Actions

This Discussion