Complex NAT and Pix version 8.0(3)

Unanswered Question
Aug 9th, 2008
User Badges:
  • Silver, 250 points or more

This is my HQ Pix firewall version 8.0(3):


ip address outside 1.1.254.1 255.255.0.0 (security 0)

ip address inside 192.168.1.1 255.255.255.0 (security 100)

ip address dmz 10.1.1.1 255.255.255.0 (security 90)

ip address lease-line 192.168.192.1 255.255.255.0 (security)


route inside 172.16.0.0 255.255.0.0 192.168.1.254

route dmz 10.0.0.0 255.0.0.0 10.1.1.254

route lease-line 192.168.254.0 255.255.255.0 192.168.192.254


static (inside,outside) 1.1.0.0 172.16.0.0 netmask 255.255.255.0

static (dmz,outside) 1.1.1.0 10.0.0.0 netmask 255.255.255.0

static (inside,outside) 1.1.254.100 172.16.254.100 netmask 255.255.255.255



access-list test permit ip any any log

access-group test in interface outside

access-group test in interface inside

access-group test in interface dmz


I have requirements like this:


- There is a a couple of VPNs terminte on this firewall, to remote-A and remote-B.

Remote A also has network 172.16.20.0/24 which overlap with my LAN 172.16.0.0/16

network. Double-NAT will have to done on both sdes,


- Remote-B has a nework of 10.10.10.0/24 which is overlapped with my dmz network.

Double-NAT will have to be done on both sides,


- Users coming source 129.174.1.0/24 over the Internet hitting host 1.1.0.100 and

host 10.1.0.200, and the destination will be translated into 172.16.0.101 and

172.16.0.201 instead of 172.16.1.100 and 172.16.1.200, respectively. Any other

sources coming from the Internet hitting host 1.1.0.100 and .200, the destination

will be translated to 172.16.0.100 and .0.200,


- Users coming from source 65.0.0.0/8 hitting the outside interface on port 3389

will be translated to host 172.16.254.100 on port 3389. Anyone else coming

from other addresses over the internet hitting host 1.1.254.100 will be translating

into 172.16.254.100


- network 172.16.0.0/16 will NOT be NAT'ed to 10.0.0.0/8 on the dmz BUT host

172.16.1.101-172.16.1.120 will be NAT'ed to 10.0.252.1 when accessing any hosts

on the 10.0.0.0/8 network.


- I have similar requirements on the lease-line interface as well but I will hold

off on it for now.


Can anyone estimate how long it would take to coming up with a workable configuration?

Is it even possible? In term of support and maintenance, is this a good idea?


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Sat, 08/09/2008 - 18:34
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

almost pssiable but first try it with one interface if worked the go ahead


as u mentioned above u need to make NATing based on source and destination addresses

what i would sugesst u to try is

extended ACL with static NAT


like

access-list 100 129.174.1.0 255.255.255.0 host 1.1.0.100

static (outside, inside) 172.16.0.101 aceess-list 100


and so on

i reversed th static nat to used the extended ACL

and i really wish a good luck

and let me know


by the way **reload after config**

with nating sometime the firewall dose not take the changes directly i mean u might do the change and sounds ok but dose not work

so after u make the changes just RELOAD it to avoid any problems

Actions

This Discussion