Solved: NAT & Policy NAT

edw · ‎06-27-2007

Hi,

I'm trying to get my head around NAT etc

I am writing new code onto a new PIX. In the original PIX 6.3 I used access-lists and binded them to interface cards for all traffic-flow.

On the new PIX 7.2 I have Policy NAT on dynamic NAT traffic - under the impression its a better way of doing it and easier to admin ? However I have read I still need to bind a access-list to each the interface for them to work ?? So should I policy NAT dynamic NAT traffic and use access-lists on the interface for the static NAT info. Or should I use access-lists, binding them to all static and dynamcic NAT pools and have a blank access-list for the interfaces ??

Or should I just do the way I used to ??

Whats the difference - are some ways slower than others for processing ??

Thanks

Ed

Jon Marshall · ‎07-01-2007

Hi Ed

Policy NAT is usually used when you want change the source IP address but based on where it is going to eg.

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

access-list pnat permit ip host 192.168.5.1 host 217.22.67.81

nat (inside) 2 access-list pnat

global (outside) 2 194.67.1.77

The above says for all outbound traffic translate the source IP addresses to the outside interface ip address. So if host 192.168.5.1 sends traffic to any outside host tranlsate it to the outside ip of your pix

UNLESS

the source is 192.168.5.1 and the destination is 217.22.67.81 in which case translate 192.168.5.1 to 194.67.1.77.

A more commom occurence of policy NAT is when you wnat to do a NAT exemption for traffic going down a VPN tunnel.

Persoanlly i would always use the access-lists on the interfaces to restrict and allow traffic and use policy NAT purely for address translation.

HTH

Jon

View solution in original post

JBDanford2002 · ‎07-01-2007

The ports that clients open to source traffic from are typically called ephemeral ports which range from 1024 to 5000. When writing your Access list entried you should leave the source port out of the equation and only define the destination port.

View solution in original post

edw · ‎06-28-2007

Is it that policy NAT should only be used if you need to change the ip based on destination ?

You see the problem I'm having is - it seems more logical to me to have acl attached to the NAT groups to keep them together plus it must be faster to process as it doesnt have to go through all the other interface acls ??

Thanks

Ed

edw · ‎07-01-2007

Hi,

I have configured this on my PIX 7.2 - however it doesn't work - in the end I had to add it to the access-list which was binded to my interface. Can someone explain why this is please ??

More Info:

I have configured:

access-list Corp extended permit tcp 10.10.10.0 255.255.255.0 any eq https

access-list Corp extended permit tcp 10.10.10.0 255.255.255.0 any eq www

access-list Corp extended permit tcp 10.10.10.0 255.255.255.0 any eq domain

nat-control

global (outside) 1 192.168.10.81-192.168.251.94 netmask 255.255.255.240

nat (inside) 1 access-list Corp

Thanks

Ed

Jon Marshall · ‎07-01-2007

Hi Ed

Policy NAT is usually used when you want change the source IP address but based on where it is going to eg.

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

access-list pnat permit ip host 192.168.5.1 host 217.22.67.81

nat (inside) 2 access-list pnat

global (outside) 2 194.67.1.77

The above says for all outbound traffic translate the source IP addresses to the outside interface ip address. So if host 192.168.5.1 sends traffic to any outside host tranlsate it to the outside ip of your pix

UNLESS

the source is 192.168.5.1 and the destination is 217.22.67.81 in which case translate 192.168.5.1 to 194.67.1.77.

A more commom occurence of policy NAT is when you wnat to do a NAT exemption for traffic going down a VPN tunnel.

Persoanlly i would always use the access-lists on the interfaces to restrict and allow traffic and use policy NAT purely for address translation.

HTH

Jon

Jon Marshall · ‎07-01-2007

Hi Ed

Policy NAT is usually used when you want change the source IP address but based on where it is going to eg.

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

access-list pnat permit ip host 192.168.5.1 host 217.22.67.81

nat (inside) 2 access-list pnat

global (outside) 2 194.67.1.77

The above says for all outbound traffic translate the source IP addresses to the outside interface ip address. So if host 192.168.5.1 sends traffic to any outside host tranlsate it to the outside ip of your pix

UNLESS

the source is 192.168.5.1 and the destination is 217.22.67.81 in which case translate 192.168.5.1 to 194.67.1.77.

A more commom occurence of policy NAT is when you wnat to do a NAT exemption for traffic going down a VPN tunnel.

Persoanlly i would always use the access-lists on the interfaces to restrict and allow traffic and use policy NAT purely for address translation.

HTH

Jon

edw · ‎07-01-2007

Hi,

Thanks for this - your very helpful on these forums!!

So just to check I should use remoarks to seperate the access-list not policy nats. This is why I was mainly using them.

It's just as secure using acces-list bind to interfaces ??

One more questions I added lists such as

access-list Test extended permit tcp host 10.1.1.1 eq smtp any eq smtp

but this didn't work - I assume that all client traffic going out from a PC using dynamic ports above 1024 and its only recieve traffic which is static ??

Thanks

Ed

Jon Marshall · ‎07-01-2007

Ed

Thanks.

Not sure i follow what you mean about using remarks rather than policy NAT. Could you elaborate.

Your Test access-list, if 10.1.1.1 is a client talking smtp to a server then yes the source port from the client will be a random source port above 1024.

HTH

Jon

edw · ‎07-01-2007

Hi,

Well I was trying to use the policay NAT to seperate all the ACL to make it easy to read IE Corporate ACL on one NAT and Office on another.

But I assume thats not what its for reading the post you added here. I got the wrong end of the stick...? I assume I just use remarks statements to seperate the ACL lines....

Is there a list that documents the client to server ports or is it okay to just say from any port to this port... security wise ???

Just trying to make thins as secure as possible... I'm a perfectionist - not one of my best traits ;)

Thanks Again

Ed

JBDanford2002 · ‎07-01-2007

The ports that clients open to source traffic from are typically called ephemeral ports which range from 1024 to 5000. When writing your Access list entried you should leave the source port out of the equation and only define the destination port.

Jon Marshall · ‎07-01-2007

Ed

I understand now, thanks for the additional info. In my opinion yes you would be better off using remarks within your access to separate your different groups as using policy NAT for this if you are not trying to NAT these groups to different addresses might well confuse the next person who has to manage this device.

Jon