Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix v7 - question about NAT exemption

1) I added the following commands to the PIX to allow PAT and everything works fine. i.e host from inside to outside get PATTEd to X.X.X.X

nat (inside) 1 access-list NAT_Internet

global (outside) 1 X.X.X.X netmask 255.255.255.255

access-list NAT_Internet extended permit ip host 10.0.0.70 any

access-list NAT_Internet extended permit ip 10.0.1.0 255.255.255.0 any

2) After that I can no longer connect to or receive traffic from inside to network 10.0.4.0 on interface MGT. Error from syslog:

%PIX-3-305006: portmap translation creation failed for tcp src inside:10.0.1.138/1070 dst Mgt:10.0.4.8/22

%PIX-3-305005: No translation group found for udp src Mgt:10.0.4.8/53557 dst inside:10.0.0.70/514

Interface Name Security

Ethernet0 outside 0

Ethernet1 inside 100

Ethernet2 Mgt 90

3) The problem was fixed after I added Nat exemption as follow:

nat (inside) 0 access-list EXEMPT_NAT

access-list EXEMPT_NAT extended permit ip host 10.0.0.70 10.0.4.0 255.255.255.0

access-list EXEMPT_NAT extended permit ip 10.0.1.0 255.255.255.0 10.0.4.0 255.255.255.0

I read about Nat Exemption but can someone clarify the following for me.

My first Nat/Global was meant to PAT only for traffic from inside to outside so why do I need to add Nat exemption for traffic to interface Mgt?

What would had happen if I was to use Nat Identity instead?

  • Other Security Subjects
3 REPLIES
New Member

Re: Pix v7 - question about NAT exemption

If you carefully look at your access-list NAT_Internet, you have allowed for all destinations. Hence traffic from inside to any gets PATed to the outside IP [because it will be matched in the nat (inside) 1 statement]

So you will have to specific about traffic that need not be PATed.

New Member

Re: Pix v7 - question about NAT exemption

Referring to the command

"global (outside) 1 X.X.X.X netmask 255.255.255.255 "

Doesn't it mean Natting traffic destined for outside interface only? If not, what is the purpose of the "outside" keyword in the command?

New Member

Re: Pix v7 - question about NAT exemption

Essentially, the firewall must have some sort of translation to refer to , whether it is to NAT or not to NAT. In order for a lower security interface to communicate with a higher security interface, we need to tell the PIX not to nat packets between these interfaces - to leave all original source/destination information intact.

Your access list that denies NAT between inside and Mgt is one way to accomplish this. You could also perform this with the following static (you still need an access list to allow the traffic you desire from Mgt to inside).

static (inside,mgt) 10.0.1.0 10.0.1.0 255.255.255.0

The statement above maintains the original source address. It seems obscure, yes. It essentially tells the PIX to NAT, but to replace the original source IP with the same IP.

Specific to your question, your Global statement refers only to outside, and is not applied to Mgt. Inside to outside is different and independent from inside to Mgt.

Jamison

217
Views
0
Helpful
3
Replies