04-04-2006 07:20 AM - edited 03-09-2019 02:30 PM
From PIX 7.X manual i readed this example:
#access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0 255.255.255.224
#static (inside,outside) 209.165.202.129 access-list NET1
I really don't know how this example works. The static nat permit outside traffic to start connection on the inside and vice-versa.
If a client on outside net ping ip 209.165.202.129, what server the firewall will contact?
The acl say from 10.1.2.0 255.255.255.224 to 209.165.201.0 255.255.255.224 ... 2 nets ?!?!?
Someone can explain me better policy static nat per destination?
Thx.
04-04-2006 04:07 PM
Hi,
These commands mean that when network 10.1.2.0/27 accesses 209.165.201.0/27, it will be translated to 209.165.202.129/27. But in this case be careful that the translation will match the subnet mask you used in the access-list command. If you want to translate to a single address, then you need to change the access-list to a single host IP as follows:
Example:
access-list NET1 permit ip host 10.1.2.10 209.165.201.0 255.255.255.224
static (inside,outside) 209.165.202.129 access-list NET1
In this case, when somebody pings 209.165.202.129, he'll pinging 10.1.2.10
Hope it's clear now.
Regards,
Haitham
04-05-2006 02:24 AM
Hi,
yes i understand that if a workstation on 10.1.2.0/27 (inside) try to ping a workstation on 209.165.201.0/27 (outside) it will be translated with ip 209.165.202.129.
But manual say that with policy nat allow each side to start connection.
In this situation if a pc on 209.165.201.0/27 (outside) try to ping a workstation on 10.1.2.0/27 (inside), i don't know exaclty what firewall do! I think pix reject connection ... is it true?
Thx.
04-05-2006 11:16 AM
Hi,
The static NAT is a bi-directional translation why the manual states that each side can initiate connection unlike NAT and Global commands which are uni-directional. With static translation, anyone can initiate the connection provided that the ACL allows that; since by default in PIX higher-level security interfaces can initiate connections to lower level zones then no ACL is required from inside to outside, but the opposite is not true. So, in order for 209.165.201.0/27 to connect to hosts in 10.1.2.0/27 then you need to have a specific ACL to your internal host or subnet on the translated address.
e.g. access-list out_access_in extended permit icmp 209.165.201.0 255.255.255.224 host 209.165.202.129
access-group out_access_in in interface outside
Hope it's clear now.
Regards,
Haitham
04-06-2006 01:49 AM
Hi,
OK! Net 209.165.201.0/27 know exactly how to reach 10.1.2.0/27 and the pix only translate packets from this two net with ip 209.165.202.129.
Now it's clear.
Thx.
04-06-2006 02:15 AM
Good news!
Please rate the post so others can benefit from this discussion.
Regards,
Haitham
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide