06-29-2009 11:52 PM
Hi
I am running a PIX515 with V8.0(4)28 IOS.
I have an issue with NAT.
I would like traffic from DMZ1 to DMZ2 to have no NAT applied. I have created an access-list no-nat-DMZ1 for this. I also have a static line for DMZ1 traffic to connect to the inside.
However doing a packet-trace gives the following result:
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,DMZ1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
match ip inside 10.0.0.0 255.0.0.0 DMZ1 any
static translation to 10.0.0.0
translate_hits = 0, untranslate_hits = 2
Additional Information:
NAT divert to egress interface inside
Untranslate 10.0.0.0/0 to 10.0.0.0/0 using netmask 255.0.0.0
This shows the static line being used to try to un-NAT the packet. The Cisco security appliance configuration guide for V8.0 shows the order of NAT commands used to match addresses as follows :
1. Nat exemption (nat 0 access-list)
2. Static NAT and Static PAT.
3. Policy dynamic NAT
4. Regular dynamic NAT
Therefore I expect the packet to be picked up by the nat 0 access-list line.
Any ideas anyone?
Thanks
Richard
Config :
interface Ethernet0
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet1
nameif outside
security-level 0
ip address 82.1.1.1 255.255.255.0
!
interface Ethernet2
description DMZ1
nameif DMZ1
security-level 90
ip address 10.200.1.1 255.255.255.0
!
interface Ethernet3
nameif DMZ2
security-level 5
ip address 10.210.1.1 255.255.255.0
access-list inside extended permit tcp 10.0.0.0 255.0.0.0 any eq www
access-list inside extended permit tcp 10.0.0.0 255.0.0.0 any eq https
access-list inside extended permit tcp 10.0.0.0 255.0.0.0 any eq ftp
access-list inside extended permit udp 10.0.0.0 255.0.0.0 any eq domain
access-list no-nat-DMZ1 extended permit ip 10.200.1.0 255.255.255.0 10.210.1.0 255.255.255.0
access-list DMZ1 extended permit ip host 10.200.1.10 host 10.210.1.20
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ1) 0 access-list no-nat-DMZ1
static (inside,DMZ1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
access-group inside in interface inside
access-group DMZ1 in interface DMZ1
07-06-2009 05:49 AM
When you configure identity NAT (which is similar to dynamic NAT), you do not limit translation for a host on specific interfaces; you must use identity NAT for connections through all interfaces. Therefore, you cannot choose to perform normal translation on real addresses when you access interface A, but use identity NAT when accessing interface B. Regular dynamic NAT, on the other hand, lets you specify a particular interface on which to translate the addresses. Make sure that the real addresses for which you use identity NAT are routable on all networks that are available according to your access lists.
For identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside (even if the interface access list allows it). Use static identity NAT or NAT exemption for this functionality.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide