PAT translation and order of processing

Unanswered Question
Nov 17th, 2008

Hi all

I currently have 1 x static NAT and 4 x PAT configured on my PIX 515E firewall running v6.3(4). The PAT PoolID are numbered 1 (int PAT), 6, 8 and 7. I'm wondering if I create another PoolID adn give it a number say 3, will the firewall process poolID#3 first before moving on to the other pool. My new pool is to permit any inside IP address 10.0.0.0/8 to an outside address of 203.110.146.x. If this pool is to be process first then it might be a better idea to give assign PoolID#99 instead. I require this because the other pools are being used at the moment and if this pool takes precedence then I'm going to be in trouble with my access rules.

Hope this make sense. Thanks for your comments.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 11/18/2008 - 01:19

Vincent

The order is important with some of the NAT rules and not with others. So for example Policy NAT uses the nat-id's in order but regular NAT doesn't. From Pix command reference -

Order of NAT Commands Used to Match Local Addresses

The firewall matches local traffic to NAT commands in the following order:

1. nat 0 access-list (NAT exemption)-In order, until the first match. For example, you could have overlapping local/destination addresses in multiple nat commands, but only the first command is matched.

2. static (static NAT)-In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.

3. static {tcp | udp} (static PAT)-In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.

4. nat nat_id access-list (policy NAT)-In order, until the first match. For example, you could have overlapping local/destination ports and addresses in multiple nat commands, but only the first command is matched.

5. nat (regular NAT)-Best match. The order of the NAT commands does not matter. The nat statement that best matches the local traffic is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you also create a statement to translate only 10.1.1.1, when 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the local traffic best

Full link -

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129

So it won't use the order it will choose the most specific match and use that nat-id.

Jon

vincent-n Wed, 11/19/2008 - 14:44

Thanks Jon for your post and the URL. One thing I found is PDM will not support policy base NAT/PAT which I use quite often to configure things. This is my current situations:

1. I have defined a number of devices under the networks 10.10.3.0/24, 10.10.25.0/24 and 10.10.24.0/24 to be PAT under PoolID 6,7 and 8. Some devices in these networks are also interface PAT (203.110.146.50)

2. I'd like to create a new PoolID say 5 and PAT anything under 10.10.0.0/16 that are using TCP protocol citrix-ica going to dest say 50.50.50.50/32.

3. I'm thinking that I can do PAT on 10.10.0.0/16 to 203.110.146.50 (without specifying TCP port) but don't want to destroy any existing PAT/NAT rules. The firewall actually warns me that there are address overlapping.

4. If step 3 is deemed to be fine without breaking anything then it might just be as simply as permitting inside traffic 10.10.0.0/16 to go out to 50.50.50.50/32 with traffic matching TCP citrix-ica.

Thanks for your reply.

Actions

This Discussion