topic Re: nat issues in Network Security

nat issues

niro — Mon, 11 Mar 2019 09:59:52 GMT

Can someone explain to me what's happening here? When I set up a static nat on my machine on the firewall I'm not able to get out to the internet, if I remove that nat and go over the global pat then everything works fine:

static (inside,outside) 172.18.10.39 10.14.2.39 netmask 255.255.255.255

FW# sh xlate | i 2.39

Global 172.18.10.39 Local 10.14.2.39

Apr 13 2007 10:04:44: %PIX-6-302020: Built ICMP connection for faddr 72.14.207.99/0 gaddr 172.18.10.39/0 laddr 10.14.2.39/0

The internet router has these lines:

ip nat inside source list 1 pool public

access-list 1 permit 172.18.10.39

Re: nat issues

JORGE RODRIGUEZ — Fri, 13 Apr 2007 16:24:22 GMT

hi, what are you trying to accomplish.. do you want to have public inbound connections to connect to your local machine.

it seems you are applying the static nat for outside interface using a private ip block 172.18.x.x instead of a public IP address.

usually:

static (inside,outside) publicIP localIP netmask 255.255.255.255 0 0

then your access list to permit inbound connections.

For outbound internet your static NAT which is your public IP should get you internet outbound connections.

Re: nat issues

niro — Fri, 13 Apr 2007 17:42:52 GMT

yea the firewall is natting to another private block which is our dmz...the router then nats it to a public ip with ip nat inside source list 1 pool public.

List 1 includes both the static nat I created on the firewall and the pat.

really the only reason I want to do this is to tftp configs from the dmz equipment to my machine. I got it working using a policy nat but I'm just wondering why the the static nat I set up earlier wasn't working properly.

Re: nat issues

niro — Mon, 16 Apr 2007 12:25:42 GMT

Can anybody shed some light on why that setup wasn't working?

Re: nat issues

tcscadmin — Mon, 16 Apr 2007 15:14:18 GMT

Let's see if I understand the topology here. You have an "internet router." That nats a pool of addresses to one host. That router connects the your PIX. This PIX is generally configured for PAT on the outside interface of 172.18.10.39.

When you add the static command, connectivity to the Internet from 10.14.2.39 should work.

But any other host inside that PIX going out to the WWW will not. Always remember that a static command trumps a dynamic in ASA world. It trumps any NAT rules in any ID number. It also trumps NAT 0 rules IIRC.

So what you need to do is do a Static PAT not Static NAT.

This is how it would look if 10.14.2.39 were a Web server.

static (inside,outside) tcp 172.18.10.39 80 10.14.2.39 80. Just pick one port though per Static PAT entry.

Use this in conjuction with your existing dynamic PAT rules.

Re: nat issues

niro — Mon, 16 Apr 2007 16:05:00 GMT

right...here is the topology:

insidenet - pix - dmz - router - internet

But...I do have a pat already...

global (outside) 1 172.18.10.100

nat (inside) 1 10.14.2.0 255.255.255.0

Everything works fine...however, when I add this line:

static (inside,outside) 172.18.10.39 10.14.2.39 netmask 255.255.255.255

All the other ip's still work obviously...but from 10.14.2.39 I can't access the internet anymore. The router translates both 172.18.10.39 and 172.18.10.100 to our public internet IP, and I verified that it has the right translations.

I did a ping test and I see the pings coming back in the logs:

Apr 13 2007 10:04:44: %PIX-6-302020: Built ICMP connection for faddr 72.14.207.99/0 gaddr 172.18.10.39/0 laddr 10.14.2.39/0

I noticed the port numbers are all 0's...when I do a ping test going over the pat it's right:

Apr 16 2007 11:48:35: %PIX-6-302020: Built ICMP connection for faddr 64.233.167.

99/0 gaddr 172.18.10.100/5050 laddr 10.14.2.39/512

Based on the setup and the nat pool on the router the 172.18.10.39 nat should still work...

Re: nat issues

tcscadmin — Mon, 16 Apr 2007 16:49:51 GMT

What logical network is configured in the DMZ network? Where does 10.14.2.39 connect physically?

Re: nat issues

niro — Mon, 16 Apr 2007 16:51:00 GMT

10.14.2.x/24 is internal and 172.18.10.x/24 is the DMZ

Re: nat issues

tcscadmin — Mon, 16 Apr 2007 16:55:02 GMT

Is 172.18.10.39 the outside interface of the PIX?

If so, your problem is the Internet router thinks 172.18.10.100 is directly connected to itself in the DMZ. It works in the firewall's case because the firewwall broadcasts the ARP reply for .39 but not for .100.

Re: nat issues

niro — Mon, 16 Apr 2007 17:06:12 GMT

No...the outside interface is actually 172.18.10.254

Re: nat issues

tcscadmin — Mon, 16 Apr 2007 17:09:21 GMT

ip nat inside source list 1 pool public

access-list 1 permit 172.18.10.39

access-list 1 permit 172.18.10.100

It was staring me in the face. Add 172.18.10.100 to this ACL on the Internet Router.

Re: nat issues

niro — Mon, 16 Apr 2007 17:19:49 GMT

Yea it's already there...i didn't add it to the original post because it's already working, probably should have to be more clear. 🙂

But yea it's there, 172.18.10.100 and 172.18.10.39 and I verified that both get translated to the public IP with sh ip nat trans.

The weird thing is when I add the 172.18.10.39 static nat to the firewall (and lose internet access)...I can do a tcpdump on a spanned port and I see the icmp traffic coming back to my machine...but my machine shows it as timing out. I guess I should try a to capture those packets on my machine to see what I'm getting. But I'm not sure why I'm getting those /0's in the firewall logs.