NAT & Policy NAT

Answered Question
Jun 27th, 2007
User Badges:

Hi,


I'm trying to get my head around NAT etc


I am writing new code onto a new PIX. In the original PIX 6.3 I used access-lists and binded them to interface cards for all traffic-flow.


On the new PIX 7.2 I have Policy NAT on dynamic NAT traffic - under the impression its a better way of doing it and easier to admin ? However I have read I still need to bind a access-list to each the interface for them to work ?? So should I policy NAT dynamic NAT traffic and use access-lists on the interface for the static NAT info. Or should I use access-lists, binding them to all static and dynamcic NAT pools and have a blank access-list for the interfaces ??


Or should I just do the way I used to ??


Whats the difference - are some ways slower than others for processing ??


Thanks


Ed

Correct Answer by JBDanford2002 about 10 years 3 weeks ago

The ports that clients open to source traffic from are typically called ephemeral ports which range from 1024 to 5000. When writing your Access list entried you should leave the source port out of the equation and only define the destination port.

Correct Answer by Jon Marshall about 10 years 3 weeks ago

Hi Ed


Policy NAT is usually used when you want change the source IP address but based on where it is going to eg.


nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


access-list pnat permit ip host 192.168.5.1 host 217.22.67.81


nat (inside) 2 access-list pnat

global (outside) 2 194.67.1.77


The above says for all outbound traffic translate the source IP addresses to the outside interface ip address. So if host 192.168.5.1 sends traffic to any outside host tranlsate it to the outside ip of your pix


UNLESS


the source is 192.168.5.1 and the destination is 217.22.67.81 in which case translate 192.168.5.1 to 194.67.1.77.


A more commom occurence of policy NAT is when you wnat to do a NAT exemption for traffic going down a VPN tunnel.


Persoanlly i would always use the access-lists on the interfaces to restrict and allow traffic and use policy NAT purely for address translation.


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
edw Thu, 06/28/2007 - 02:06
User Badges:

Is it that policy NAT should only be used if you need to change the ip based on destination ?


You see the problem I'm having is - it seems more logical to me to have acl attached to the NAT groups to keep them together plus it must be faster to process as it doesnt have to go through all the other interface acls ??


Thanks


Ed

edw Sun, 07/01/2007 - 09:21
User Badges:

Hi,


I have configured this on my PIX 7.2 - however it doesn't work - in the end I had to add it to the access-list which was binded to my interface. Can someone explain why this is please ??


More Info:


I have configured:


access-list Corp extended permit tcp 10.10.10.0 255.255.255.0 any eq https


access-list Corp extended permit tcp 10.10.10.0 255.255.255.0 any eq www


access-list Corp extended permit tcp 10.10.10.0 255.255.255.0 any eq domain


nat-control


global (outside) 1 192.168.10.81-192.168.251.94 netmask 255.255.255.240


nat (inside) 1 access-list Corp


Thanks


Ed

Correct Answer
Jon Marshall Sun, 07/01/2007 - 10:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Ed


Policy NAT is usually used when you want change the source IP address but based on where it is going to eg.


nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


access-list pnat permit ip host 192.168.5.1 host 217.22.67.81


nat (inside) 2 access-list pnat

global (outside) 2 194.67.1.77


The above says for all outbound traffic translate the source IP addresses to the outside interface ip address. So if host 192.168.5.1 sends traffic to any outside host tranlsate it to the outside ip of your pix


UNLESS


the source is 192.168.5.1 and the destination is 217.22.67.81 in which case translate 192.168.5.1 to 194.67.1.77.


A more commom occurence of policy NAT is when you wnat to do a NAT exemption for traffic going down a VPN tunnel.


Persoanlly i would always use the access-lists on the interfaces to restrict and allow traffic and use policy NAT purely for address translation.


HTH


Jon

Jon Marshall Sun, 07/01/2007 - 10:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Ed


Policy NAT is usually used when you want change the source IP address but based on where it is going to eg.


nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


access-list pnat permit ip host 192.168.5.1 host 217.22.67.81


nat (inside) 2 access-list pnat

global (outside) 2 194.67.1.77


The above says for all outbound traffic translate the source IP addresses to the outside interface ip address. So if host 192.168.5.1 sends traffic to any outside host tranlsate it to the outside ip of your pix


UNLESS


the source is 192.168.5.1 and the destination is 217.22.67.81 in which case translate 192.168.5.1 to 194.67.1.77.


A more commom occurence of policy NAT is when you wnat to do a NAT exemption for traffic going down a VPN tunnel.


Persoanlly i would always use the access-lists on the interfaces to restrict and allow traffic and use policy NAT purely for address translation.


HTH


Jon

edw Sun, 07/01/2007 - 11:26
User Badges:

Hi,


Thanks for this - your very helpful on these forums!!


So just to check I should use remoarks to seperate the access-list not policy nats. This is why I was mainly using them.


It's just as secure using acces-list bind to interfaces ??


One more questions I added lists such as


access-list Test extended permit tcp host 10.1.1.1 eq smtp any eq smtp


but this didn't work - I assume that all client traffic going out from a PC using dynamic ports above 1024 and its only recieve traffic which is static ??


Thanks


Ed

Jon Marshall Sun, 07/01/2007 - 11:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ed


Thanks.


Not sure i follow what you mean about using remarks rather than policy NAT. Could you elaborate.


Your Test access-list, if 10.1.1.1 is a client talking smtp to a server then yes the source port from the client will be a random source port above 1024.


HTH


Jon

edw Sun, 07/01/2007 - 13:06
User Badges:

Hi,


Well I was trying to use the policay NAT to seperate all the ACL to make it easy to read IE Corporate ACL on one NAT and Office on another.


But I assume thats not what its for reading the post you added here. I got the wrong end of the stick...? I assume I just use remarks statements to seperate the ACL lines....


Is there a list that documents the client to server ports or is it okay to just say from any port to this port... security wise ???


Just trying to make thins as secure as possible... I'm a perfectionist - not one of my best traits ;)


Thanks Again


Ed

Correct Answer
JBDanford2002 Sun, 07/01/2007 - 13:13
User Badges:

The ports that clients open to source traffic from are typically called ephemeral ports which range from 1024 to 5000. When writing your Access list entried you should leave the source port out of the equation and only define the destination port.

Jon Marshall Sun, 07/01/2007 - 14:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ed


I understand now, thanks for the additional info. In my opinion yes you would be better off using remarks within your access to separate your different groups as using policy NAT for this if you are not trying to NAT these groups to different addresses might well confuse the next person who has to manage this device.


Jon

Actions

This Discussion