Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
0
Helpful
1
Replies

PIX-515 v8.0(4)28 NAT issue

richard.s.jones
Level 1
Level 1

‎06-29-2009 11:52 PM

Hi

I am running a PIX515 with V8.0(4)28 IOS.

I have an issue with NAT.

I would like traffic from DMZ1 to DMZ2 to have no NAT applied. I have created an access-list no-nat-DMZ1 for this. I also have a static line for DMZ1 traffic to connect to the inside.

However doing a packet-trace gives the following result:

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,DMZ1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

match ip inside 10.0.0.0 255.0.0.0 DMZ1 any

static translation to 10.0.0.0

translate_hits = 0, untranslate_hits = 2

Additional Information:

NAT divert to egress interface inside

Untranslate 10.0.0.0/0 to 10.0.0.0/0 using netmask 255.0.0.0

This shows the static line being used to try to un-NAT the packet. The Cisco security appliance configuration guide for V8.0 shows the order of NAT commands used to match addresses as follows :

1. Nat exemption (nat 0 access-list)

2. Static NAT and Static PAT.

3. Policy dynamic NAT

4. Regular dynamic NAT

Therefore I expect the packet to be picked up by the nat 0 access-list line.

Any ideas anyone?

Thanks

Richard

Config :

interface Ethernet0

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet1

nameif outside

security-level 0

ip address 82.1.1.1 255.255.255.0

!

interface Ethernet2

description DMZ1

nameif DMZ1

security-level 90

ip address 10.200.1.1 255.255.255.0

!

interface Ethernet3

nameif DMZ2

security-level 5

ip address 10.210.1.1 255.255.255.0

access-list inside extended permit tcp 10.0.0.0 255.0.0.0 any eq www

access-list inside extended permit tcp 10.0.0.0 255.0.0.0 any eq https

access-list inside extended permit tcp 10.0.0.0 255.0.0.0 any eq ftp

access-list inside extended permit udp 10.0.0.0 255.0.0.0 any eq domain

access-list no-nat-DMZ1 extended permit ip 10.200.1.0 255.255.255.0 10.210.1.0 255.255.255.0

access-list DMZ1 extended permit ip host 10.200.1.10 host 10.210.1.20

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ1) 0 access-list no-nat-DMZ1

static (inside,DMZ1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

access-group inside in interface inside

access-group DMZ1 in interface DMZ1

Labels:
0 Helpful
1 Reply 1

sadbulali
Level 4
Level 4

‎07-06-2009 05:49 AM

When you configure identity NAT (which is similar to dynamic NAT), you do not limit translation for a host on specific interfaces; you must use identity NAT for connections through all interfaces. Therefore, you cannot choose to perform normal translation on real addresses when you access interface A, but use identity NAT when accessing interface B. Regular dynamic NAT, on the other hand, lets you specify a particular interface on which to translate the addresses. Make sure that the real addresses for which you use identity NAT are routable on all networks that are available according to your access lists.

For identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside (even if the interface access list allows it). Use static identity NAT or NAT exemption for this functionality.

0 Helpful
Customers Also Viewed These Support Documents