Can nat (inside) 0 coexist with nat 1 (inside) ???

Unanswered Question
May 29th, 2003
User Badges:

Hello all!


I only what to nat the private addresse if they go on internet. I used nat 0 on all interface (execept outside) so I can communicate between my networks.


I have a pix with 5 interface used

-vpn 75 10.136.X.X

-dmz1 50 A.A.A.A (public class)

-tel 100 10.10.X.X

-dmz2 90 A.A.B.B (public class)

-outside 0 A.A.C.C (public class)


Can I do something like that:


#Don`t change vpn ip address if you stay in my network

nat (vpn) 0 access-list vpn_nonat

access-list vpn_nonat permit ip 10.136.0.0 255.255.0.0 A.A.0.0 255.255.0.0

access-list vpn_nonat permit ip 10.136.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list vpn_nonat permit ip 10.136.0.0 255.255.0.0 172.16.0.0 255.255.0.0

access-list vpn_nonat permit ip 10.136.0.0 255.255.0.0 192.168.0.0 255.255.0.0


#If you go on internet nat

nat (vpn) 1 10.136.0.0 255.255.0.0

global (outside) 1 A.A.252.50-A.A.252.150 netmask 255.255.255.0




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
HEATH FREEL Thu, 05/29/2003 - 11:49
User Badges:

You could. I'm not sure if that is best practice. For that matter I'm not sure if my way is either. This is what I would do.


Static each subnet to itself for the specified interfaces and then use your nat (vpn) 1 command to go to the internet.

To answer your question, yes. You can have all sorts of NAT statements as long as they are uniquely identified.


However, it sounds like a static statement might work better for you.


static (vpn,dmz1) 10.136.X.X 10.136.X.X netmask 255.255.0.0 0 0

static (vpn,dmz2) 10.136.X.X 10.136.X.X netmask 255.255.0.0 0 0

static (tel ,vpn) 10.136.X.X 10.136.X.X netmask 255.255.0.0 0 0


That will keep traffic coming from 10.136.X.X looking like 10.136.X.X to all internal zones.


Then, keep your nat and global statements for traffic going to the outside interface of the PIX.


Static referance:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/s.htm#xtocid20

mlheureux Fri, 05/30/2003 - 05:03
User Badges:

I have heard that ! Our cisco support ( third party not cisco directly) said it`s a good practice to use the static cmd if you don`t want to nat. But it is getting very confusing when you don`t want a nat any interface of the pix. You get a lot of static statement and I lose track! Don`t forget that global cmd is a pool of address so it is hard to track if you get a complaine that someone in your network hack another compagny on internet....That why we don`t want to nat


I like my nat 0 with an access-list more easy to maintaint and easy to understand. And Cisco dont describe static cmd as a nat 0 but as a way to allow lower sec to higer sec interface access.


One last thing you might confirm a bit off the track::

My vpn need to go to the outside so security should allow it OK

But my vpn need also to go inside so the security don't allow it OK i need an acl.


I notice that as soon as I put an acl to allow vpn to inside a lose my outside access. The acl deny it. It seem that the security principle are non existants as soon as you add an acl on a interface. Is that make sense???


I am a bit stuck since the only way my vpn to allow both interfaces is to make a acl with a permit any any since I don`t know where on internet the vpn will go! There sould be a better way to do it ???


Thanks a lot for your helps!

Actions

This Discussion