PAT / NAT and Inbound/Outbound - Can I do this?

Unanswered Question
May 14th, 2010
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

This is a separate question that is a follow up to one that was answered:


Help with: Deny TCP (no connection)

https://supportforums.cisco.com/thread/2016571


Unfortunately that solution - by PATing all source addresses coming in from the outside to ensure the request is sent back out that same PIX - wreaks havoc on the dynamic translation rules. Note the PATing is a temporary solution to be used during this ISP move/renumbering.


So I have this configured: Allows client behind an interface dynamic translation using the specified outside IP.

global (outside) 30 64.123.111.4

global (outside) 20 64. 123.111.3

global (outside) 10 64. 123.111.2

nat (eth2) 20 10.1.0.0 255.255.224.0

nat (eth1) 10 10.0.0.0 255.255.224.0

nat (eth3) 30 10.100.0.0 255.255.224.0


It works well but when I PAT everything (add the 2 lines below)  – it does fix the problem answered in my other post but “breaks” the above and I see “no translation group found” Syslog messages:


global (eth3) 1 64. 123.111.1

nat (outside) 1 0.0.0.0 0.0.0.0 outside


Is there a way I can have the best of both worlds?


Thanks,


-h

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Fri, 05/14/2010 - 15:45
User Badges:
  • Cisco Employee,

Yes, assuming that eth3 has higher security level than outside, you would also need to configure NAT exemption on eth3 interface.


Let's assume that eth3 subnet is 200.1.1.0/24. The following config needs to be done:

access-list eth3-nonat permit ip 200.1.1.0 255.255.255.0 any

nat (eth3) 0 access-list eth3-nonat


Further just to clarify the following 2 commands configured:


global (eth3) 1 64. 123.111.1

nat (outside) 1 0.0.0.0 0.0.0.0 outside


The above configuration is configured as you would like any ip addresses from the outside subnet (Internet I assume) to be PATed to 64.123.111.1 when they are accessing eth3 subnet (200.1.1.0/24 - as per the above assumption)? Is this a correct assumption? If it is, then the NAT exemption above should resolve the issue.


Hope that helps.

mhcraig Mon, 05/17/2010 - 07:15
User Badges:

Thanks for the reply but I'm still not having any luck. I've tried altering the nonat ACL and I can't seem to have the both situations work simulataneously:


Situation:
Web server is behind eth-poy: 10.100.2.10
Statically mapped to the outside eth-isp: 1.1.1.1
Host Servers use: 10.100.1.0/24
eth-isp = 2.2.2.2/26 (Internet)

eth-poy = 10.100.0.0/19


Goal:
1. Allow hosts behind eth-poy to access the internet using eth-isp sharing a single IP

AND simultaneously...
2. Allow web servers behind eth-poy to utilize their static mappings when people access them from the internet


What is happening is that the static rules are working but I'm still seeing "no translation group found for tcp src eth-poy:10.100.1.100..." when I try to access the internet from one of the hosts behind eth-poy.


Here is what I have currently:
access-list acl_exempt_eth_poy_nonat permit ip 10.100.0.0 255.255.224.0 any
nat (eth-poy) 0 access-list acl_exempt_eth_poy_nonat
nat (eth-isp) 1 0.0.0.0 0.0.0.0 outside
global (eth-poy) 1 2.2.2.1
static (eth-poy,eth-isp) 2.2.2.10 10.100.2.10 netmask 255.255.255.255


Note: I've tried adjusting the ACL to include only those hosts in the 10.100.2.0/24 range and alternatively the 10.100.1.0/24 range but no luck.


What am I doing wrong?


Many thanks,


-h

mhcraig Tue, 05/18/2010 - 13:54
User Badges:

Just to answer your *specific* question - YES your assumption is correct.


In addition though, I would like hosts behind eth3 to access the internet using a single IP (can be different than the one used for the PATing.


Any ideas why I'm seeing this syslog message:

"no translation group found for tcp src eth-poy:10.100.1.100..."


..and the hosts can't access the internet?


Thanks,


-h

Actions

This Discussion