10-27-2008 07:39 AM - edited 03-11-2019 07:03 AM
Hi everybody.
Having used iptables and sofware firewall (like astaro) in the past , now I 'am tring to understand nat on a pix 6.3
I'm tring to redirect conexions to ports on externals ip addresses to a server with an internal ip I mean:
the connexion to 212.44.229.2:ssh most be redirected to 192.168.229.2:ssh ip
the connexion to 212.44.229.3:80 most be redirected to 192.168.229.2:80 ip
the connexion to 212.44.229.4:25 most be redirected to 192.168.229.2:25 ip
I did this configuration but only the ssh redirection works.
interface gb-ethernet1 vlan229 logical
nameif vlan229 local security95
ip address local 192.168.229.254 255.255.255.0
name 192.168.229.2 lenovo
access-list outside_access_in permit tcp any host 212.44.229.2 eq ssh
access-list outside_access_in permit tcp any host 212.44.229.2 eq www
access-list outside_access_in permit tcp any host 212.44.229.2 eq smtp
ip address local 192.168.229.254 255.255.255.0
pdm location 212.44.229.2 255.255.255.255 outside
pdm location 212.44.229.3 255.255.255.255 outside
pdm location 212.44.229.4 255.255.255.255 outside
pdm location lenovo 255.255.255.255 local
pdm location 192.168.229.0 255.255.255.255 local
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
nat (local) 2 192.168.229.0 255.255.255.0 0 0
static (outside,local) tcp lenovo ssh 212.44.229.2 ssh netmask 255.255.255.255 0 0
static (outside,local) tcp lenovo www 212.44.229.3 www netmask 255.255.255.255 0 0
static (outside,local) tcp lenovo smtp 212.44.229.4 smtp netmask 255.255.255.255 0 0
static (local,outside) 212.44.229.2 lenovo netmask 255.255.255.255 0 0
but only th ssh conexion over 212.44.229.2 is routed to 192.168.229.2
I have red about nat on pix but this case is not clear to me.
Any idea? thanks to you all
10-27-2008 07:58 AM
Cisco's NAT terminology can be weird at times.
Setting up a NAT Port Translation
static (local,outside) tcp 22 212.44.229.2 192.168.229.15 22 netmask 255.255.255.255
Setting up a NAT translation (all ports & protocols)
static (local,outside) 212.44.229.2 192.168.229.15 netmask 255.255.255.255
It looks like most of your NATs are backwards.
Here's a little HOW-TO on NAT's (look for NAT)-
http://www.packetpros.com/wiki/index.php/Cisco
Hope that helps.
10-27-2008 09:19 AM
yes your are rigth , that is awesome they are backward. btu I created them PDM how is taht possible?
Well I fix the nat rule but I can not make the acl rule
it tell me: no communication is allowed between two interfaces wich have the same security level.
the external interface of the pix is not in network 212.44.229.0/24 but in all net devices a route point network 212.44.229.2 to be accessed via the pix. The pix thinks that network 212.44.229.0/24 is in the outside interface.
Is that a new problem?
Thanks
10-27-2008 09:29 AM
do you have a simple diagram with interface names?
10-27-2008 03:47 PM
Hy, this is the schema.
My ISP route the 212.44.229.0/24 to my PIX
INTERNET
|
|
ROUTER(ip route 212.44.229.0/24 via le pix)
|
|
______________________
|outside (gb-ethernet0)|
| |
| PIX |
| |
|inside (gb-ethernet1) |
|local (vlan229) |
|local (vlan228) |
|______________________|
|
|
|
|--192.168.229.0/24 (vlan229)
|
|--129.168.228.0/24 (vlan228)
Thank you very much.
10-28-2008 04:39 AM
hi, you all
now I have changed my conf as follow:
interface gb-ethernet1 vlan229 logical
interface gb-ethernet1 vlan230 logical
nameif gb-ethernet0 outside security0
nameif gb-ethernet1 inside security100
nameif vlan229 local security95
access-list outside_access_in permit tcp any host 212.44.229.3 eq www
access-list outside_access_in permit tcp any host 212.44.229.4 eq smtp
access-list outside_access_in permit tcp any host 212.44.229.2 eq ssh
access-list inside_nat0_outbound permit ip any 192.168.229.192 255.255.255.192
ip address local 192.168.229.254 255.255.255.0
pdm location 212.44.229.2 255.255.255.255 outside
pdm location 212.44.229.3 255.255.255.255 outside
pdm location 192.168.229.0 255.255.255.255 Admin
pdm location 192.168.229.192 255.255.255.192 Admin
pdm location 212.44.229.4 255.255.255.255 outside
pdm location 192.168.229.2 255.255.255.255 Admin
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
nat (local) 2 192.168.229.0 255.255.255.0 0 0
static (local,outside) tcp 212.44.229.3 www 192.168.229.2 www netmask 255.255.255.255 0 0
static (local,outside) tcp 212.44.229.4 smtp 192.168.229.2 smtp netmask 255.255.255.255 0 0
static (local,outside) tcp 212.44.229.2 ssh 192.168.229.2 ssh netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
But, with no result either.
I do not want to come back to astaro firewall as I have a pix now and logically a pix is made for firewalling.
Any help please??
10-28-2008 06:22 AM
In the config above, the interface name is inside and outside, but in your statics, they are outside and local. They have to match, is the trusted interface named local or inside?
10-28-2008 06:35 AM
Hi, thanks.
Yes, but if you read carefully you will see this two lines too.
interface gb-ethernet1 vlan229 logical
nameif vlan229 local security95
so I can use local, am I rigth? or the nat rules are not possible over logical interfaces?
thanks again
10-28-2008 06:42 AM
You can use anything you like so that's not a problem. Can you post a full sanitized config?
10-29-2008 04:54 AM
Hi you all.
I have made some changes and now NAT works. But there are several problemes. The PDM does not take into account my ACL it tell me this rule is null. After doing a translation I tested with an access rule and it's true my acces list is taged with (null rule) so I cannot filter.
Exemple of acl:
access-list outside_access_in permit tcp any host 212.x.x.3 eq www
Here is the config:
interface gb-ethernet0 1000auto
interface gb-ethernet1 1000auto
interface gb-ethernet1 vlan1000 physical
interface gb-ethernet1 vlan229 logical
nameif gb-ethernet0 outside security0
nameif gb-ethernet1 inside security100
nameif vlan229 local security95
enable password the_password encrypted
passwd the_password encrypted
hostname pix
names
name 192.168.229.2 lenovo
access-list inbound permit tcp any host 192.168.225.55
access-list inbound permit tcp host 192.168.225.51 any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 212.44.229.2 eq ssh
access-list outside_access_in permit tcp any host 212.44.229.3 eq www
access-list inside_nat0_outbound permit ip any 192.168.229.192 255.255.255.192
pager lines 24
logging on
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 212.x.x.2 255.255.255.0
ip address inside 192.168.254.254 255.255.255.0
ip address local 192.168.229.254 255.255.255.0
pdm location 212.x.x.2 255.255.255.255 outside
pdm location 212.x.x.3 255.255.255.255 outside
pdm location 192.168.229.0 255.255.255.255 local
pdm location 212.x.x.4 255.255.255.255 outside
pdm location lenovo 255.255.255.255 local
pdm location 192.168.229.192 255.255.255.192 local
pdm location 192.168.229.192 255.255.255.192 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
nat (local) 2 lenovo 255.255.255.255 0 0
static (local,outside) tcp 212.44.229.2 ssh lenovo ssh netmask 255.255.255.255 0 0
static (local,outside) tcp 212.44.229.3 www lenovo www netmask 255.255.255.255 0 0
static (local,outside) tcp 212.44.229.4 2525 lenovo smtp netmask 255.255.255.255 0 0
static (local,outside) tcp 212.44.229.5 www lenovo 8080 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 212.44.228.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server LOCAL protocol local
aaa authentication secure-http-client
http server enable
floodguard enable
console timeout 0
terminal width 80
: end
Thanks you all
10-29-2008 06:33 AM
A null rule indicates that an access rule was configured for a host that is not visible on another interface. This rule is null because no traffic can flow between these two hosts even though the access rule would permit it.
Your ACL should look like this-
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 212.44.229.2 eq ssh
access-list outside_access_in permit tcp any host 212.44.229.3 eq www
access-list outside_access_in permit tcp any host 212.44.229.4 eq 2525
access-list outside_access_in permit tcp any host 212.44.229.5 eq www
You may have to remove the rule from the interface to edit it.
10-29-2008 07:18 AM
Hy, thanks.
My rules already are like this.:
access-list outside_access_in permit tcp any host 212.44.229.2 eq ssh
access-list outside_access_in permit tcp any host 212.44.229.3 eq www
10-29-2008 10:21 AM
Hi,
I am always at the same point, y cannot make acces rules work (after have made nat work )car the pdm tells me (null rule).
Can someone tell me wath is wrong with my config?
thanks
10-30-2008 06:34 AM
Hi.
after doing some tests I arrive to the following conclusion.
connexion to 212.44.229.2:ssh redirect to 192.168.229.2:ssh
connexion to 212.44.229.3:80 redirect to 192.168.229.2:80
connexion to 212.44.229.4:25 most be redirect to 192.168.229.2:25
this type of config does not work properly cause it does not permit manage acces-list(null rule).
I tested this:
connexion to 212.44.229.2:ssh redirect to 192.168.229.2:ssh
connexion to 212.44.229.3:80 redirect to 192.168.229.3:80
connexion to 212.44.229.4:25 redirect to 192.168.229.4:25
that work well cause it allows me to manage acces-list to the destination hosts. This mean that in my server interface I have to add an ip alias for each external ip I want to use.
I can even do:
connexion to 212.44.229.3:80 redirect to 192.168.229.3:8080
mi conf looks like this(from my last test):
access-list outside_access_in permit tcp any host 212.44.229.3 eq www
access-list outside_access_in permit tcp any host 212.44.229.2 eq ssh
access-list outside_access_in permit tcp any host 212.44.229.2 eq smtp
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (local) 1 0.0.0.0 0.0.0.0 0 0
static (local,outside) tcp 212.44.229.2 ssh lenovo ssh netmask 255.255.255.255 0 0
static (local,outside) tcp 212.44.229.3 www 192.168.229.3 8080 netmask 255.255.255.255 0 0
static (local,outside) tcp 212.44.229.2 smtp lenovo smtp netmask 255.255.255.255 0 0
I that all rigth or there is a way for not using ip alias?
Thank you all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide