cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
613
Views
0
Helpful
16
Replies

question about NAT on Firewall

cisco24x7
Level 6
Level 6

I do not have a Pix firewall to test at the moment so I am going

to ask experts in forum if this is possible:

I have a host on the "inside" interface with an ip address of 192.168.3.10

Pix firewall "inside" ip address is 192.168.3.1/28

Pix firewall "outside" ip address 1.1.1.1/28

Pix firewall default gateway is 1.1.1.14

I have the following in the configuration:

static (inside,outside) 1.1.1.10 192.168.3.10 netmask 255.255.255.255 dns

access-list External permit ip any any log

access-list Internal permit ip any any log

access-group External in interface outside

access-group Internal in interface inside

Now here are my requirements:

1- Internet users will get to this host via 1.1.1.10,

2- telnet, ssh and smtp traffics originate from host 192.168.3.10 going to

64.100.1.0/24 and 192.95.25.0/24 will be natted to 1.1.1.10

2- telnet, ssh and smtp traffics originate from host 192.168.3.10 going

to ANY will be NATted to the Pix firewall's external interface (1.1.1.1),

3- http and https traffics originate from host 192.168.3.10 going to

72.1.100.0/24 will be NATted to 1.1.1.10,

4- http and https traffics originate from host 192.168.3.10 going to ANY

will be NAT'ed to firewall's external interface (1.1.1.1).

Is this possible? If so, how?

Thanks.

16 Replies 16

acomiskey
Level 10
Level 10

Thats a tough one. Hope I got this right.

access-list 100 permit ip host 192.168.3.10 any eq 23

access-list 100 permit ip host 192.168.3.10 any eq 22

access-list 100 permit ip host 192.168.3.10 any eq 25

access-list 100 permit ip host 192.168.3.10 any eq 80

access-list 100 permit ip host 192.168.3.10 any eq 443

access-list 101 permit ip host 192.168.3.10 any

static (inside,outside) 1.1.1.1 access-list 100

static (inside,outside) 1.1.1.10 access-list 101

Here is my revise requirements:

Now here are my requirements:

1- Internet users will get to this host via 1.1.1.10,

2- telnet, ssh and smtp traffics originate from host 192.168.3.10 going to

64.100.1.0/24 and 192.95.25.0/24 will be natted to 1.1.1.10

2- telnet, ssh and smtp traffics originate from host 192.168.3.10 going

to ANY will be NATted to the Pix firewall's external interface (1.1.1.1),

3- http and https traffics originate from host 192.168.3.10 going to

72.1.100.0/24 will be NATted to 1.1.1.10,

4- http and https traffics originate from host 192.168.3.10 going to ANY

will be NAT'ed to firewall's external interface (1.1.1.1).

5- Internet users from source 6.7.8.0/24 and

4.3.2.0/24 accessing http and https on IP address 1.1.1.1 will be re-directed to host

192.168.3.10 on http and https

I can do all this with Checkpoint firewall

in about 5 minutes and it works on the first

attempt.

I am struggling to get this to work on Cisco

firewall.

Any takers on this one?

hi david

u can solve it by useing policy NAT, Policy NAT/PAT translates the IP address of the packets passing through the security appliance only if those packets match the configured criterion or policy. The policy is defined by using ACLs. The ACL matches traffic against the source and the destination IP addresses.

so for ur case

u need the following lines:

access-list 100 permite tcp host 192.168.3.10 72.1.100.0 255.255.255.0 eq 80

access-list 100 permite tcp host 192.168.3.10 72.1.100.0 255.255.255.0 eq 443

access-list 101 permite tcp host 192.168.3.10 any eq telnet

access-list 101 permite tcp host 192.168.3.10 any eq 22

access-list 101 permite tcp host 192.168.3.10 any eq smtp

access-list 101 permite tcp host 192.168.3.10 any eq 80

access-list 101 permite tcp host 192.168.3.10 any eq 443

access-list 102 permite tcp host 192.168.3.10 6.7.8.0 255.255.255.0 eq 80

access-list 102 permite tcp host 192.168.3.10 6.7.8.0 255.255.255.0 eq 443

access-list 102 permite tcp host 192.168.3.10 4.3.2.0 255.255.255.0 eq 80

access-list 102 permite tcp host 192.168.3.10 4.3.2.0 255.255.255.0 eq 443

nat (inside) 2 access-list 101

globlab (outside) 2 interface

static (inside, outside) 1.1.1.10 access-list 101

satatic (inside, outside) 1.1.1.1 access-list 102

static (inside, outside) 1.1.1.10 192.168.3.10 netmask 255.255.255.255

good luck

if helpful Rate

Hi Marwanshawi,

Thank you and others for the suggestion. However, I have doubts about these

following lines:

static (inside, outside) 1.1.1.10 access-list 101

satatic (inside, outside) 1.1.1.1 access-list 102

static (inside, outside) 1.1.1.10 192.168.3.10 netmask 255.255.255.255

can you actually enter these 3 lines into the Pix configuration?

what software version ?

Marwan ALshawi
VIP Alumni
VIP Alumni

an administrator allows the real source IP address (192.168.10.190) to be changed to 209.165.200.227 only if traffic is destined for 209.165.201.10. The same static entry will also change the destination address from 209.165.200.227 to 192.168.10.190 if traffic is sourced from host 209.165.201.10.

Example 5-40. Configuration of Static Policy NAT

Chicago(config)# access-list static_NAT extended permit ip host 192.168.10.190 host

209.165.201.10

Chicago(config)# static (inside,outside) 209.165.200.227 access-list static_NAT

source is cisco press, Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance, 2005

if ur pix 7.x this concept applys

hope this helpful

there are two more important things

first u need to make the permit ACL for all in bound traffic going to 1.1.1.1 or 1.1.1.10

then after finishing the nat and ACLs config reload ur firewall to let the policy-NAT takes efficts

good luck :)

Warwan,

Could you explain the following. The poster asked the following.

5- Internet users from source 6.7.8.0/24 and

4.3.2.0/24 accessing http and https on IP address 1.1.1.1 will be re-directed to host

192.168.3.10 on http and https

Notice he says traffic is originating from 6.7.8.0/24 and 4.3.2.0 to 1.1.1.1. Therefore I don't see how this would work.

access-list 102 permite tcp host 192.168.3.10 6.7.8.0 255.255.255.0 eq 80

access-list 102 permite tcp host 192.168.3.10 6.7.8.0 255.255.255.0 eq 443

access-list 102 permite tcp host 192.168.3.10 4.3.2.0 255.255.255.0 eq 80

access-list 102 permite tcp host 192.168.3.10 4.3.2.0 255.255.255.0 eq 443

satatic (inside, outside) 1.1.1.1 access-list 102

hi Adam

good question if u look at the paragraph i have posted above from cisco press which as the following (which is an example from, Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance, 2005)

an administrator has defined a policy to translate the source IP address to 209.165.200.226 if the packets originate 192.168.10.10 and are destined for 209.165.201.1. Similarly, if the packets are sourced from 192.168.10.10 and destined for 209.165.201.2, the security appliance will change the source IP address to 209.165.200.227

thus, the ACL will represent two way path in this case if we made the ACL like access-list 102 thats mean it will include hhtp/https traffic from 192.168.10.3 to 6.7.8.0/24, 4.3.2.0/24 and vice versa :)

and this is the bineffits of ACL with NATing

thank you

if helpful Rate

Marwanshawi,

Basically, you're speculating this. Have you

tried my requirements in the lab and verified

that it works?

Thank you.

no i havnt but the fact is like this mate

u can try it

otherwise if u have another way will be great to know

and if u think about it it is very reasonable method because in general ACL with nating on ASA,PIX and FWSM works TWO WAY !!!

thank you

Hi Marwan,

The reason I asked is because the following configuration looks very suspicious:

static (inside, outside) 1.1.1.10 access-list 101

satatic (inside, outside) 1.1.1.1 access-list 102

static (inside, outside) 1.1.1.10 192.168.3.10 netmask 255.255.255.255

I think you will get errors with this configuration.

I would like to try it out if I have a Pix handy but I do not. I can't try this on the

Production Pix either.

ok i think about this u wmay get error

static (inside, outside) 1.1.1.10 192.168.3.10 netmask 255.255.255.255

if u get try to do this work around

as long as u want any traffic coming to 1.1.1.10 go to 192.168.3.10

creat an ACL lets say ACL 103

deny all traffic permit in ACL 101 and 102 then permit any

and make it like

static (inside, outside) 1.1.1.10 access-list 103

this way all other traffic not included on both ACLs going to 1.1.1.10 will be translated to 192.168.3.10 which is ur required point in the internet traffic going to that address

good luck

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: