Pix 506E 6.3(3)need to pass networks without nat translation.

Answered Question
Aug 21st, 2008
User Badges:

We use 10.x.x.x network internally. Pix stands between two networks - 10.34.12.0/24 - outside one with security level 0 and 10.34.3.0/24 - inside one with security level 100. I need all ip's from 10.34.3.0 and 10.34.12.0 networks to pass trough firewall without any nat translation. Also network 10.34.12.0 should get access to another 10.x.x.x subnets within corporate network without any nat translations. What is the best way to achieve this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Syed Iftekhar Ahmed Fri, 08/22/2008 - 00:18
User Badges:
  • Blue, 1500 points or more

Try the following


access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.34.3.0 255.255.255.0

access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.0.0.0 255.0.0.0



access-list inside_access_out permit ip 10.34.3.0 255.255.255.0 10.34.12.0 255.255.255.0



nat (outside) 0 access-list outside_access_in

nat (inside) 0 access-list inside_access_out


Thanks

radutily1 Fri, 08/22/2008 - 00:26
User Badges:

When I apply nat (outside) 0 access-list outside_access_in


I receive the following error message:


WARNING: Specified interface is lowest security interface. This statement

WARNING: is not applicable to any traffic.


And I still not able to get access to hosts on 10.34.12.x net. I think as outside is a lower security level interface only static command can help. What do you think?


Thanks

Syed Iftekhar Ahmed Fri, 08/22/2008 - 00:48
User Badges:
  • Blue, 1500 points or more

Try using


nat (outside) 0 access-list outside_access_in outside


instead of


nat (outside) 0 access-list outside_access_in


Thanks

radutily1 Fri, 08/22/2008 - 02:27
User Badges:

Hi guys,


I've implemented such commands on this firewall:

access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.34.3.0 255.255.255.0

access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list inside_access_out permit ip 10.34.3.0 255.255.255.0 10.34.12.0 255.255.255.0

access-list inside_access_out permit ip 10.0.0.0 255.0.0.0 10.34.12.0 255.255.255.0

nat (outside) 0 access-list outside_access_in outside

nat (inside) 0 access-list inside_access_out


But I'm still not able to get access to any hosts from inside to outside. Please find configuration details in attachment.







Attachment: 
radutily1 Fri, 08/22/2008 - 02:54
User Badges:

Hi Andrew,


Inside subnet is 10.34.3.0/24

Outside subnet is 10.34.12.0/24


The default route on inside - it's simple a default route to another subnets in our network.



I think I understand now - after re-reading your initial post. Cut and past the config below and re-test:-


no nat (outside) 0 access-list outside_access_in outside

no nat (inside) 0 access-list inside_access_out

no access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.34.3.0 255.255.255.0

no access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.0.0.0 255.0.0.0

no access-list inside_access_out permit ip 10.34.3.0 255.255.255.0 10.34.12.0 255.255.255.0

no access-list inside_access_out permit ip 10.0.0.0 255.0.0.0 10.34.12.0 255.255.255.0


static (inside,outside) 10.34.3.0 10.34.3.0 netmask 255.255.255.0

static (outside,inside) 10.34.12.0 10.34.12.0 netmask 255.255.255.0


HTH>

radutily1 Fri, 08/22/2008 - 03:32
User Badges:

Yeah right, this could help but in that case firewall will do proxy arp featute that way it can crash these two networks. It may be a good point to use these static with proxy arp disabled on interfaces, but what to do with other 10.x.x.x networks ?

Correct Answer

Well you just add static statements per network, or just change the previous suggestion to:-


static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0


static (outside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0


That way all networks in the 10/8 are the same passing thru the firewall.


HTH>

radutily1 Fri, 08/22/2008 - 04:31
User Badges:

Right this one should work with disabled proxy arp:

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (outside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0


sysopt noproxyarp outside

sysopt noproxyarp inside


Guys from that site have already left - will check on Monday ond provide you results.



Actions

This Discussion