Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
305
Views
10
Helpful
5
Replies

POLICY STATIC NAT

gcocchi
Level 1
Level 1

‎04-04-2006 07:20 AM - edited ‎03-09-2019 02:30 PM

From PIX 7.X manual i readed this example:

#access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0 255.255.255.224

#static (inside,outside) 209.165.202.129 access-list NET1

I really don't know how this example works. The static nat permit outside traffic to start connection on the inside and vice-versa.

If a client on outside net ping ip 209.165.202.129, what server the firewall will contact?

The acl say from 10.1.2.0 255.255.255.224 to 209.165.201.0 255.255.255.224 ... 2 nets ?!?!?

Someone can explain me better policy static nat per destination?

Thx.

Labels:
0 Helpful
5 Replies 5

haithamnofal
Level 3
Level 3

‎04-04-2006 04:07 PM

Hi,

These commands mean that when network 10.1.2.0/27 accesses 209.165.201.0/27, it will be translated to 209.165.202.129/27. But in this case be careful that the translation will match the subnet mask you used in the access-list command. If you want to translate to a single address, then you need to change the access-list to a single host IP as follows:

Example:

access-list NET1 permit ip host 10.1.2.10 209.165.201.0 255.255.255.224

static (inside,outside) 209.165.202.129 access-list NET1

In this case, when somebody pings 209.165.202.129, he'll pinging 10.1.2.10

Hope it's clear now.

Regards,

Haitham

gcocchi
Level 1
Level 1
In response to haithamnofal

‎04-05-2006 02:24 AM

Hi,

yes i understand that if a workstation on 10.1.2.0/27 (inside) try to ping a workstation on 209.165.201.0/27 (outside) it will be translated with ip 209.165.202.129.

But manual say that with policy nat allow each side to start connection.

In this situation if a pc on 209.165.201.0/27 (outside) try to ping a workstation on 10.1.2.0/27 (inside), i don't know exaclty what firewall do! I think pix reject connection ... is it true?

Thx.

0 Helpful

haithamnofal
Level 3
Level 3
In response to gcocchi

‎04-05-2006 11:16 AM

Hi,

The static NAT is a bi-directional translation why the manual states that each side can initiate connection unlike NAT and Global commands which are uni-directional. With static translation, anyone can initiate the connection provided that the ACL allows that; since by default in PIX higher-level security interfaces can initiate connections to lower level zones then no ACL is required from inside to outside, but the opposite is not true. So, in order for 209.165.201.0/27 to connect to hosts in 10.1.2.0/27 then you need to have a specific ACL to your internal host or subnet on the translated address.

e.g. access-list out_access_in extended permit icmp 209.165.201.0 255.255.255.224 host 209.165.202.129

access-group out_access_in in interface outside

Hope it's clear now.

Regards,

Haitham

0 Helpful

gcocchi
Level 1
Level 1
In response to haithamnofal

‎04-06-2006 01:49 AM

Hi,

OK! Net 209.165.201.0/27 know exactly how to reach 10.1.2.0/27 and the pix only translate packets from this two net with ip 209.165.202.129.

Now it's clear.

Thx.

0 Helpful

haithamnofal
Level 3
Level 3
In response to gcocchi

‎04-06-2006 02:15 AM

Good news!

Please rate the post so others can benefit from this discussion.

Regards,

Haitham

Customers Also Viewed These Support Documents