Hi Firewall Gurus,
I'm just a bit confused with the NAT and PAT capabilities of a PIX firewall. For example I have this configuration:
global (outside) 2 210.*.*.49-188.8.131.52 netmask 255.255.255.0
global (outside) 2 202.*.*.34
nat (inside) 2 10.161.0.0 255.255.255.0 0 0
1. Why do I still have to include the subnet mask in the global command?
2. What will happen to this kind of configuration?
3. Will it a NAT or PAT and what CLI command will specify if it is NAT or PAT?
4. What if I want to have a one-to-one dynamic translation? What config should I do?
Here's what I have in mind, the first 7 workstation from 10.161.0.0/24 subnet will NAT to 184.108.40.206-55 then the succeding workstations will PAT to these IP address range. Please correct me if I'm wrong.
Because we have clients that use VPN client that needs one-to-one public IP translation and should not be port address translated. All of these are dynamic NAT and PAT.
How does the PIX firewall interpret a nat (inside) access-list command?
What if I have this configuration:
global (outside) 2 220.127.116.11
global (outside) 3 18.104.22.168
nat (inside) 2 access-list 2
nat (inside) 3 access-list 3
access-list 2 permit ip any host 22.214.171.124
access-list 2 permit ip any host 126.96.36.199
access-list 3 permit ip any any
Is this going to be read in parallel? I mean if the destination IP is 188.8.131.52 and 184.108.40.206, i always wanted to translate it to 220.127.116.11 not 18.104.22.168. Because access-list 3 will also satisfy the condition which is "any any".
Sorry for so many questions but I just want to clarify everything.
Thank you very much.
1. I'm not sure
2. Your assumption is correct. the NAT will be served on first come first serve basis so the first 7 addresses will be NAT'ed and the rest will be PAT'ed
3. It's always a NAT command but when the corresponding GLOBAL command contains a single IP then the PIX will know that this is a PAT.
4. Use the STATIC command and have your private range followed by the public range.
What do you mean by: "Because we have clients that use VPN client that needs one-to-one public IP translation and should not be port address translated. All of these are dynamic NAT and PAT" ... do you have clients on the isnide who wants to connect to another VPN concentrator or do you have clients who wants to connect to this PIX? If it's the first option then they can use PAT, if it's the second option then I didnt get your point.
As for your NAT example:
All IP connections to 22.214.171.124 and 126.96.36.199 will get the 188.8.131.52 when they get out of the PIX and all other connections will get the 184.108.40.206 address. All you need to do is adding to deny statements to ACL3 before your permit any statement like:
access-list 3 deny ip any host 220.127.116.11
access-list 3 deny ip any host 18.104.22.168
access-list 3 permit ip any any
Hope this was helpful.
This is very helpful! Thanks for the quick reply.
What I mean in the VPN situation is that, we have internal employees who needs access to an outside VPN concentrator (not in our control) and needs a one-to-one dynamic translation. There VPN connection won't work if it is Port Address Translated.
About number 4, I thought you will use the Static command if you want a one to one static translation? But what if I want a one-to-one dynamic translation? Thanks a lot. =)
The VPN should work and I know that for a fact since I did that many times. Simply, whenver you are behind a home router and using a VPN client you will be PAT'ed so its a normal thing ... you need to re-visit your config maybe.
I don't know what are you after with the 1-2-1 dynamic translation but if you have a NAT/GLOBAL combo with the same number of IP's in each you will have a dynamic 1-2-1 NAT ... is this your case?! STATIC will map the addresses horizontally and will not allocate randomly.
Now I get it. If I use a NAT/Global combo with the same number of IPs then I can have the 1-2-1 NAT. What I really meant here is that, for example:
vpn client 1 connects, then he will be translated to 1 public IP. then vpn client 2 connects, he will be given another public IP different from the first one. And so on... End-to-end (from client pc to vpn concentrator), the source port of the vpn client will not be replaced by the PIX firewall.
Because there are some VPN server that responds to a different port when a vpn client connects. For example, when a client connects to VPN server with a destination port of 123 with a source port of 456, then the concentrator will respond to the client with a destination port of 789 and source port of 123. With this kind of vpn server, the PIX firewall will not be able to determine the connection of the vpn client because the server responded to a different port number. That's why we have configurations that doesn't Port Address Translate but only NAT.
Back from our example, the first 7 IP address will be Network Address Translated, which means, the source port of the workstation will not be replaced by the PIX. But if there's another client who tries to browse the internet for example then that client will be Port Address Translated.
Sorry for consuming too much of your time but you really help me a lot. =)
Another thing, you mentioned earlier that I should just put a deny statement in my access-list to prevent it from being translated to that global IP and instead use the other access-list with a more specific destination. Don't you think that it will be rejected in translation (like nat (inside) 0) because of the deny statement?
Is translation being read in parallel?
global (outside) 3 22.214.171.124
global (outside) 4 126.96.36.199
nat (inside) 3 188.8.131.52 255.0.0.0
nat (inside) 4 184.108.40.206 255.255.255.0
to which public IP will the 220.127.116.11 translate? To the more specific one which is global 4? The number of the identifier doesn't mean which one to be prioritize right?
Sorry for asking too many questions.
18.104.22.168 would be translated to 22.214.171.124 because of the nat identifier 4
The nat identifier 4 would get translated to corresponding matching identifer of global statement 4
Ei guys, im back!
The access-list in NAT didn't work even if it is more specific.
Here's my configuration.
global (outside) 1 126.96.36.199
global (outside) 2 188.8.131.52
nat (inside) 1 access-list 1
nat (inside) 2 access-list 2
access-list 1 deny ip host 10.10.10.10 any
access-list 1 permit ip any any
access-list 2 permit ip host 10.10.10.10 any
I want all workstations to translate to 184.108.40.206 except for 10.10.10.10. I want 10.10.10.10 to translate as 220.127.116.11. But when I issued show xlate, it still shows that 10.10.10.10 is translated to 18.104.22.168.
I issued show access-list 1 and I can see that the line with the deny statement is being hit because the hit count increments. When I issued show access-list 2, that one line is not being hit. But still, 10.10.10.10 is being translated to 22.214.171.124. =(