Basic Question about PIX NATing

Unanswered Question
Dec 30th, 2008

Hi Team,

I have following question about Nating:-

1. static(inside,outside)-Will this command works bidirectionally i.e. Traffic which is coming from outside to inside or reverse both will get NATed OR it only mean that the traffic which is coming from outside to inside will Get NATed..

And If I want to NAT traffic (using the static command) from inside to outside..what will be the syntax..whether I have to type static(outside,inside).

2. Can I use Nat(inside) and global(outside) commands for NATing the traffic from outside to inside.If yes then what will be syntax of commands i.e. Can it be nat(outside) and global (inside)

3. When we are accessing any machine in DMZ network from inside interface network.Whether NAT is required in PIX.For example if the inside network is in private range and the DMZ network is in public or Private range..in Checkpoint we donot need NAT in above case because once the packet hits the firewall(on the internal interface),the Firewall will automatically forward the packet to DMZ machine(connected to its DMZ interface) and as far as I know their is no NAT required in Checkpoint for this case..Whether in PIX NAT is required for this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Wed, 12/31/2008 - 05:54

Just a couple of things to keep in mind:

- Checkpoint "hide" NAT = Cisco Port Address Translation,

- Checkpoint "static" NAT = Cisco static NAT

To answer your question:

1- your assumption in #1 correct. However,

the way CP setup NAT is much flexible than

Cisco. What you said is correct about 99% of

the time but there are exceptions,

2- NAT (inside) and global (outside) is

equivalent to Checkpoint "hide" NAT for the

most part,

3- The answer is "it depends". In Checkpoint

you can use "automatic" NAT or "mannual" NAT.

Once you use automatic NAT, you have to put

in rule to disable NAT between inside and DMZ.

Or you may not, depending on your network.

One thing to keep in mind is that with Cisco

Pix/ASA technology, it is "interface" based

while with Checkpoint, there is NO interface

based. Furthermore, Checkpoint is an

"object" based technology while cisco is not.

Once you can understand that, you will learn

Cisco easily.

palsukh2002 Thu, 01/01/2009 - 18:38

Thanks a lot--

1. In Checkpoint if we want to allow some traffic from inside to outside ,then we need to do a NAT(may be Hide NAT).Now if someone from outside want to access some server on inside network,then again we need to put another NAT rule(may be static NAT).So Basically we need to put two NAT rules.My question is whether in Cisco also we need to put two NAT statements(may be nat(inside),global(outside) and the second statement may be static NAT) OR simply nat(inside) and global(outside) command given once is sufficient for connections initiated from both directions.

2. In checkpoint if someone want to access from outside to inside we will normally use static destination NAT,Ofcourse we can use static destination NAT in PIX also.

But My question is whether we can use the nat command (to achieve the same perpose)as follows:-

nat(outside) 1.1.1.1 ; global(inside) 10.10.10.10

where the outside traffic will hit 1.1.1.1 and will get NATed to 10.10.10.10--Is this command syntax allowed in PIX.

3. In Checkpoint we will only configure routing properly and once the packet hits any Firewall interface,the firewall will redirect the traffic to the DMZ server(provided we have simply enabled the access from inside to DMZ in the firewall rulebase).Similarily when we are accessing from outside to DMZ..

Please note that here inside interface is connected to private network , DMZ and outside interfaces are connected to public Servers.I have never used NAT in this case in checkpoint.

Is that mean in PIX we have to do NAT always(even may be NAT 0) whenever we are accessing from one interface of PIX to another interface of PIX.

Sorry if I could not understood your previous reply.

godinerik Sun, 01/04/2009 - 15:40

I'm still quite new to ASA devices, however I feel I can answer perhaps your first two questions:

1. If you intend to allow only outgoing traffic from the inside host, only one nat/global set of rules will be required. Return traffic is "un-translated" without adding a second nat/global.

2. If you'd like connections to be initiated from the outside network to the inside, you'll have to use a "static". So in other words, if you have an outside IP of 1.1.1.1 and you'd like it to get nat'd to 10.10.10.10:

static (inside,outside) 1.1.1.1 10.10.10.10 netmask 255.255.255.255

this will not only allow connections from the outside to connect othe inside host using 1.1.1.1, it will also permanently assign 1.1.1.1 for any outgoing connections initiated from the inside host.

In regards to question#3, I'm not so sure, I'll let someone else answer and take note of the answer as well.

If the above two answers are incorrect, someone *please* correct me. It would re-assure me I understood what I've been discussing these past few days.

Jon Marshall Sun, 01/04/2009 - 16:19

Erik

Glad to see you were paying attention :-)

1 & 2 are both spot on.

3) Yes you do need to do NAT unless you turn off NAT altogther with "no nat-control" but even then there are exceptions. It is one of the idiosyncracies of the pix :-)

Jon

palsukh2002 Sun, 01/04/2009 - 18:33

Sorry but my questions are still not answered..I believe I have not clearly mentioned my queries.

My Queries are:-

1.Definitely when we are accessing from inside to outside we will do NAT and Return traffic will come back based on the same NAT.My question is not about the reply which outside host will send in response to connection initiated by inside host.

But when the outside host initiates a separate connection to Inside host then whether another NAT rule is required.

For example I mean if I have used nat(inside);global(outside) command for traffic going from inside to outside-then whether the traffic initiated from outside to inside will require separate NAT statement...

Please note that I have used PAT in this case for inside to outside and as per rule automatically two rules should get added in the rulebase which uses PAT.For example:-

Host A:- 10.10.10.10(inside network)

Host B: 10.10.10.20(inside network)

Host C:-1.1.1.1(internet Host)

NATed IP for Host A to Host C:- 3.3.3.3:2030

NATed IP for Host B to Host C:-3.3.3.3:2031

Now If Host A communicate with Host C..we will use PAT(only one nat/global command)...and suppose Host A gets PATed to 3.3.3.3:2030..where 2030 is the source Port..the reply to this packet will come automatically..Now if the Host C want to communicate(separate connection) to Host A.then whether the traffic from Host C will use 3.3.3.3:2030 as the destination IP address and which will get NATed automatically to 10.10.10.10--Am I right?

If yes then it means Host A and Host C cannot initiate simultaneous connections to each other..One has to wait till other finishes.

And it also means that if Host C want to communicate with Host B it cannot communicate.For this to happen Host B should have communicated with Host C atleast once..then only Host C can communicate with Host B..Am I right?

2. Of course we can use static NAT for access from outside to inside.But my question is whether we can use the following command in PIX (from outside to inside access):-

nat(outside)...;

global(inside)...

godinerik Sun, 01/04/2009 - 18:41

Sorry please ignore this post (I can't delete so I took out my reply), I missed the part where you said you understood a static statement could be used ut you really want to use nat(outside) instead. NAT is usually used to:

1. Preserve IPv4 addresses

2. To hide your internal network's IPs

Amongst other things.. #1 doesn't apply because there's no needs to spare internal IPs, #2 doesn't apply because it's already being accomplished even though you'd be using a STATIC.

Is it possible to use NAT(ouside) ? Maybe, NAT is NAT. However, I fail to see the reason for this (not to say that there's not a good reason). If you want to share with us, perhaps we can understand better what your end-goal is.

godinerik Sun, 01/04/2009 - 19:04

Actually,

I'll have to correct myself. My information relates to an ASA5505, however I suppose if you're using one of the lower-end PIX devices, it must be similar. The one situation where you'll need nat rules from outside to inside would be if you use NAT control. From the ASA reference guide:

"Similarly, if you enable outside dynamic NAT or PAT, then all outside traffic must match a NAT rule

when it accesses an inside interface"

palsukh2002 Sun, 01/04/2009 - 19:18

I have read somewhere (may be in case of Site to Site VPNs) that two rules will get added when we do PAT.

It should be true when we access some external IPs using PAT(many to one)

Actions

This Discussion