Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
398
Views
0
Helpful
1
Replies

Pix - Policy NAT and H.323 protocol fixup

m.laporta
Level 1
Level 1

‎09-04-2003 10:55 PM - edited ‎02-20-2020 10:58 PM

H.323 net (10.0.0.?) --(in)PIX(out)-- netw A and W

Hi Experts.

In the scenario drawn above, I need the H.323 network on the inside to appear as two different networks on the outside, fixing up the H.323 protocol.

In other words, I need the H.323 network (10.0.0.?) to appear:

- as network a.b.c.? to network A.B.C.D, and

- as network w.x.y.? to network W.X.Y.Z

I'm going to implement the following Pix configuration (PixOS 6.3):

!

!statements 1

static (inside, outside) a.b.c.d1 access-list GK-TO-NET-A

static (inside, outside) a.b.c.d2 access-list GW-TO-NET-A

access-list GK-TO-NET-A permit ip host 10.0.0.1 A.B.C.D <mask1>

access-list GW-TO-NET-A permit ip host 10.0.0.2 A.B.C.D <mask1>

!

!statements 2

static (inside, outside) w.x.y.z1 access-list GK-TO-NET-W

static (inside, outside) w.x.y.z2 access-list GW-TO-NET-W

access-list GK-TO-NET-W permit ip host 10.0.0.1 W.X.Y.Z <mask2>

access-list GW-TO-NET-W permit ip host 10.0.0.2 W.X.Y.Z <mask2>

!

fixup protocol h323 h225

fixup protocol h323 ras

!

As far as I understand, the Policy NAT feature will translate traffic destined for the A.B.C.D network from 10.0.0.1 as a.b.c.d1,

and traffic destined for the W.X.Y.Z network from host 10.0.0.1 as w.x.y.z1.

In a notation:

[SA=10.0.0.1; DA=A.B.C.?] (in) >>>>> (out)[SA=a.b.c.d1; DA=A.B.C.?]

[SA=10.0.0.2; DA=A.B.C.?] (in) >>>>> (out) [SA=a.b.c.d2; DA=A.B.C.?]

[SA=10.0.0.1; DA=W.X.Y.?] (in) >>>>> (out) [SA=w.x.y.z1; DA=W.X.Y.?]

[SA=10.0.0.2; DA=W.X.Y.?] (in) >>>>> (out) [SA=w.x.y.z2; DA=W.X.Y.?]

Now, I have 3 questions for you:

Q1.

Did I understand the Policy NAT feature correctly?

Q2.

If answer to Q1 is yes, does the reverse hold *for connections initiated from the outside*, that is:

[SA=A.B.C.?; DA=a.b.c.d1] (out) >>>>> (in) [SA=A.B.C.?; DA=10.0.0.1]

[SA=A.B.C.?; DA=a.b.c.d2] (out) >>>>> (in) [SA=A.B.C.?; DA=10.0.0.2]

[SA=W.X.Y.?; DA=w.x.y.z1] (out) >>>>> (in) [SA=W.X.Y.?; DA=10.0.0.1]

[SA=A.B.C.?; DA=w.x.y.z2] (out) >>>>> (in) [SA=W.X.Y.?; DA=10.0.0.1]

Q3.

If 10.0.0.1 (H.323 Gatekeeper) returns IP address 10.0.0.2 (H.323 Gateway) in a LCF RAS message when queried with a LRQ, will the Pix apply statements 1 and statements 2 *on the same packet* and transform the LCF message as follows:

LRQ: [SA=A.B.C.?; DA=a.b.c.d1](H.323 LRQ: looking for number=1234) (outside) >>>>> (inside) [SA=A.B.C.?; DA=10.0.0.1](H.323 LRQ: looking for number=1234)

LCF: [SA=10.0.0.1; DA=A.B.C.?](H.323 LCF: for 1234, use GW 10.0.0.2) (inside) >>>>> (outside) [SA=a.b.c.d1; DA=A.B.C.?](H.323 LCF: for 1234, use GW a.b.c.d2)

LRQ: [SA=W.X.Y.?; DA=w.x.y.z1](H.323 LRQ: looking for number=1234) (outside) >>>>> (inside) [SA=W.X.Y.?; DA=10.0.0.1](H.323 LRQ: looking for number=1234)

LCF: [SA=10.0.0.1; DA=W.X.Y.?](H.323 LCF: for 1234, use GW 10.0.0.2) (inside) >>>>> (outside) [SA=w.x.y.z1; DA=W.X.Y.?](H.323 LCF: for 1234, use GW w.x.y.z2)

Thank you!

michele

0 Helpful
1 Reply 1

nikhil_m
Level 1
Level 1

‎09-10-2003 09:08 AM

Please give me an update on this, I would like to implement same .....

Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card