policy NAT issue

mjsully · ‎11-24-2006

I did some policy NAT'ng on the outside interface of our Internet facing firewall and it broke some other NAT'ng and I'm not sure why. I had the following config put in place

access-list policy_nat permit tcp any host 12.1.1.1 eq ssl

nat(outside) 2 access-list policy_nat

global (dmz) 2 10.1.1.1

Once the config was in place, the policy nat'g was working for the particular address stated in the policy_nat acl, but other pre-existing statics between the 12.x.x.x outside interface and other servers in the dmz stopped working. When I looked on our syslog server it was saying no translation group found for these addresses.

I then went back into my policy_nat acl and added a second line "access-list policy_nat deny ip any any".

Now everything works, so I see what the issue was, my question is more why did I have to put a deny ip any any at the bottom of my policy nat acl? I would have thought it was like any other access list and implicitly denied but obviously not. Can anyone elaborate on why it does not implicitly deny everything you are not permitting?

Fernando_Meza · ‎11-26-2006

Hi .. I am actually surprised it is working at all .. I believe the security level of your outside interface is lower than the one configured on your dmz correct .. ? because if that is the case then you would have needed the 'outside' keyword at the end of the nat intruction to get this working ..

alanajjar · ‎11-27-2006

Hi.

First of all the configuration you made is completely wrong, because if you need to configure traffic between less secure interface to more secure interface you have to use static traslation with access list on the outside interface, not policy nat.

the commands should be:

static(dmz,outside) global_ip local_ip

access-list in_traffic permit tcp any global_ip eq https

then apply this access list to the outside interface in inbound direction.

secondly , the access list used in the policy nat cannot contain deny commands, it must contain only permit commands.

with regards

ala ala najjar

mjsully · ‎11-27-2006

My configuration is working, so I don't see how you say its completely wrong. I have a deny in my policy access-list and that is working as well. How can I use a static translation when I am translating "any" internet address coming in? I'm not doing a one for one NAT.

alanajjar · ‎11-27-2006

Hi,

the only way to make translation from less secure to more secure interface is by using static translation, in static translation you translate one to one address, but also you must specify an access-list that covern this translation, you can put any as the source in the access list.

your settings may be right at one condition, if your outside interface has higer security level than the DMZ interface.

subramanians · ‎11-29-2006

First try to figure out what are you trying to achieve or let me know what u want to do??

Will then explain the best possible option for the same.

jgervia_2 · ‎11-29-2006

Hello,

You can do nat and globals between lower and higher level security interfaces.

I think the issue you are having is that if the interface you have the nat command on is of a lower level than the global command, you have to add the 'outside' keyword.

---------------

outside

(Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT.

----------------

I can't think of any reason why this wouldn't work, according to the order nat is used, statics would take precedence over a nat/global statement

I'd try adding the outside keyword to your nat statement and taking out the deny statement at the end and see if that fixes it.

If not, post some of your config up here (nat and routing) so we can take a look

--Jason

Please rate this message if it helped solve somr or all of the question/issue.