PIX NAT and access rules

nkariyawasam · ‎12-30-2003

I have a server with real IP 90.0.0.50 has Natted to 172.20.1.1 as follows;

static (inside,outside) 172.20.1.1 90.0.0.50 netmask 255.255.255.255 0 0

If I want to allow 172.20.7.0 network to access server network , what is the correct IP to be defined as destination ( real or global ?)

That is ,

(1). access-list outside_access_in permit ip 172.20.7.0 255.255.255.0 90.0.0.0 255.0.0.0 OR

(2).access-list outside_access_in permit ip 172.20.7.0 255.255.255.0 172.20.1.0 255.255.255.0 ?

nihal.akbulut · ‎12-31-2003

Hi,

I'm a little confused about your config. where is your server exactly?

the static command you wrote means: host 90.0.0.50 is in inside and nat this address to 172.20.1.1 when it's going out. It doesn't make sense to me. If your server is inside and it has address of 172.20.1.1 you have to write the static command like this :

static (inside,outside) 90.0.0.50 172.20.1.1 0 0

this command makes your server reachable from the outside.(also you have to permit them with an access-list). for permitting the outside users to reach that server you have to use the real adress in your ACL. because they know your server as 90.0.0.50.

I assume that, your 172.20.7.0 network is also in inside. actually the traffic between this network and your server doesn't need to go through the pix. you can keep them talking inside. if you send your config of your pix, and the topology of your network I can help more..

also the link below are very useful for understanding traffic through pix :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009402f.shtml

I hope I didn't totaly misunderstood.. ;)

regards..

nkariyawasam · ‎01-01-2004

Hi,

Many thanks for the detailed reply. But my network is little diffarant then you expalined.

Server real address is 90.0.0.50 ( a legacy application installed long ago) Since we cennot do any application changes, we are natting it to 172.20.1.1.

The server is inside the firewall and the client network 172.20.7.0 is outside the firewall. ( ie firewall is sitting between the client and the server).

I was confused as to what address should be specified in the ACL for the server ( real or natted).

I defined ACL as

access-list outside_access_in permit ip 172.20.7.0 255.255.255.0 90.0.0.0 255.0.0.0 ,

but after applying it, the cleints int the 172.20.7.0 could not access the server. Therefore the other option is to define;

access-list outside_access_in permit ip 172.20.7.0 255.255.255.0 172.20.1.0 255.255.255.0

Any ideas ?

foxpreacher · ‎01-02-2004

can you elaborate it in more detail??

in my opinion,I choose the first one,and

you must configure a route which is pointed to the network of 172.20.1.0 /24,

can you got my idea??

MSN:foxpreacher@hotmail.com

kagodfrey · ‎01-02-2004

access-list outside_access_in permit ip 172.20.7.0 255.255.255.0 172.20.1.0 255.255.255.0 will permit traffic from 172.20.7.0/24 to 172.20.1.0/24 so for your scenario this is the correct way to do it. You need to target the translated address rather than the real one

nihal.akbulut · ‎01-04-2004

yes, the correct one is to use the natted one. because the outside world knows your server as 172.20.1.1. Did you try this access-list? If it doesn't work ; it maybe because of another access-list in inside interface..do you have an acl in inside interface?