10-16-2007 11:24 AM - edited 03-11-2019 04:26 AM
Hi everyone,
I have just updated a PIX 525 from software version 6x to 8x.
I have a question on how PDM in version 6x automatically converted access-lists so they worked with outside NAT addresses ? but in version 8x (using ASDM) this is not the case. This is causing me a major headache!
So previously in version 6x:
I created a NAT rule in PDM to translate the internal IP to external:
Inside server IP - 192.168.1.1
Outside NAT IP - 206.45.18.189
Resulting in:
static (inside,outside) 206.45.18.189 192.168.1.1 netmask 255.255.255.255
I then created a new access rule in PDM to permit traffic from the outside to 192.168.1.1 on the inside for any host.
The resulting access-list visible in the config is:
access-list outside_access_in extended permit ip any host 206.45.18.189
Note how PDM has taken the inside address I specified and replaced it with the valid outside NAT address. This worked a treat!
Unfortunately in version 8 using with ASDM - if you permit access to an inside address from the outside ? even if a valid (inside,outside) NAT rule is in place ? you get this this in the config:
access-list outside_access_in extended permit ip any host 192.168.1.1
It seems something major has changed! I have also noticed version 6x created "reference" groups if you allowed access to an inside network "object-group":
For example ? your permit access to an inside group:
object-group network INSIDE-SERVERS
network-object 192.168.1.1
network-object 192.168.1.2
network-object 192.168.1.3
And PDM automatically creates a "reference" (_ref) group that uses the valid outside NAT addresses:
object-group network INSIDE-SERVERS_ref
network-object 206.45.18.189
network-object 206.45.18.190
network-object 206.45.18.191
The group ending in "_ref" is the one used in inbound access-lists.
Version 6 really did work its magic ? has this useful "feature" disappeared in version 8x?
Many thanks for your time,
Paul
10-17-2007 06:02 AM
Something isn't right here. The statement:
static (inside,outside) 206.45.18.189 192.168.1.1 netmask 255.255.255.255
is backwards. It should be:
static (inside,outside) 192.168.1.1 206.45.18.189 netmask 255.255.255.255
with an accompanying ACL:
access-list outside_access_in extended permit ip any host 192.168.1.1
I would have to say there is some mis-configuration that is creating these rules backwards.
The _ref thing is a PDM issue in itself.
10-17-2007 06:25 AM
noran01, are you sure about that? What you said it should be is not correct. I should be...
static (inside,outside) 206.45.18.189 192.168.1.1 netmask 255.255.255.255
access-list outside_access_in extended permit ip any host 206.45.18.189
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: