Complex NAT and Pix version 8.0(3)

Unanswered Question
Aug 9th, 2008

This is my HQ Pix firewall version 8.0(3):

ip address outside 1.1.254.1 255.255.0.0 (security 0)

ip address inside 192.168.1.1 255.255.255.0 (security 100)

ip address dmz 10.1.1.1 255.255.255.0 (security 90)

ip address lease-line 192.168.192.1 255.255.255.0 (security)

route inside 172.16.0.0 255.255.0.0 192.168.1.254

route dmz 10.0.0.0 255.0.0.0 10.1.1.254

route lease-line 192.168.254.0 255.255.255.0 192.168.192.254

static (inside,outside) 1.1.0.0 172.16.0.0 netmask 255.255.255.0

static (dmz,outside) 1.1.1.0 10.0.0.0 netmask 255.255.255.0

static (inside,outside) 1.1.254.100 172.16.254.100 netmask 255.255.255.255

access-list test permit ip any any log

access-group test in interface outside

access-group test in interface inside

access-group test in interface dmz

I have requirements like this:

- There is a a couple of VPNs terminte on this firewall, to remote-A and remote-B.

Remote A also has network 172.16.20.0/24 which overlap with my LAN 172.16.0.0/16

network. Double-NAT will have to done on both sdes,

- Remote-B has a nework of 10.10.10.0/24 which is overlapped with my dmz network.

Double-NAT will have to be done on both sides,

- Users coming source 129.174.1.0/24 over the Internet hitting host 1.1.0.100 and

host 10.1.0.200, and the destination will be translated into 172.16.0.101 and

172.16.0.201 instead of 172.16.1.100 and 172.16.1.200, respectively. Any other

sources coming from the Internet hitting host 1.1.0.100 and .200, the destination

will be translated to 172.16.0.100 and .0.200,

- Users coming from source 65.0.0.0/8 hitting the outside interface on port 3389

will be translated to host 172.16.254.100 on port 3389. Anyone else coming

from other addresses over the internet hitting host 1.1.254.100 will be translating

into 172.16.254.100

- network 172.16.0.0/16 will NOT be NAT'ed to 10.0.0.0/8 on the dmz BUT host

172.16.1.101-172.16.1.120 will be NAT'ed to 10.0.252.1 when accessing any hosts

on the 10.0.0.0/8 network.

- I have similar requirements on the lease-line interface as well but I will hold

off on it for now.

Can anyone estimate how long it would take to coming up with a workable configuration?

Is it even possible? In term of support and maintenance, is this a good idea?

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Sat, 08/09/2008 - 18:34

almost pssiable but first try it with one interface if worked the go ahead

as u mentioned above u need to make NATing based on source and destination addresses

what i would sugesst u to try is

extended ACL with static NAT

like

access-list 100 129.174.1.0 255.255.255.0 host 1.1.0.100

static (outside, inside) 172.16.0.101 aceess-list 100

and so on

i reversed th static nat to used the extended ACL

and i really wish a good luck

and let me know

by the way **reload after config**

with nating sometime the firewall dose not take the changes directly i mean u might do the change and sounds ok but dose not work

so after u make the changes just RELOAD it to avoid any problems

Actions

This Discussion