topic natting in Network Security

natting

zulqurnain — Mon, 11 Mar 2019 09:25:53 GMT

i have configured on my pix a static which will allow our partnet to access our network through the vpn tunnel like below

static (inside,outside) tcp 1.1.1.1 420 192.168.1.1 420 netmask 255.255.255.255

now he can access our network without any problem.

Question is, that is there a possibility that i can further nat 1.1.1.1 after coming inside to one specific ip address and provide access to one server e.g nat 1.1.1.1 to 192.168.1.50.

i believe it should be possible.

Re: natting

vijayasankar — Tue, 30 Jan 2007 06:52:27 GMT

Hi,

Yes. Port forwarding is possible.You can do so, as long as the ports are different.

in your example you are redirecting the traffic to port 420 on 1.1.1.1 to 192.168.1.1 on port 420.

If you want to nat a inside http server , you can do so by

redirecting the traffic to port 80 on 1.1.1.1 to 192.168.1.x on port 80.

static (inside,outside) tcp 1.1.1.1 80 192.168.1.x 80 netmask 255.255.255.255

Hope this helps.

-VJ

Re: natting

zulqurnain — Tue, 30 Jan 2007 07:14:15 GMT

so what i understood is that as long as port forwarding is there, i can do it.

but what if there is no port forwarding then what is the possibility e.g

partner is connecting to 1.1.1.1 420

accessing to 192.168.1.1

for above i have this entry present in pix

static (inside,outside) tcp 1.1.1.1 420 192.168.1.1 420 netmask 255.255.255.255

need to nat 1.1.1.1 on same port 420

i hope it's clear

Re: natting

vijayasankar — Tue, 30 Jan 2007 07:17:34 GMT

Hi,

No, that wont be possible.

You can have one association with one combination of the natip,port to a inside host inside.

-VJ

Re: natting

zulqurnain — Tue, 30 Jan 2007 08:13:26 GMT

but what about Outside NAT. won't it be possible using it

Re: natting

vijayasankar — Tue, 30 Jan 2007 09:07:13 GMT

Hi,

Let me know exactly what you are trying to achieve.

Whatever is the scenario, as stated earlier, you can only have one combination of a natip, port.

-VJ

Re: natting

zulqurnain — Tue, 30 Jan 2007 10:21:03 GMT

as i explained in my first post

i want to nat 1.1.1.1 IP address to 192.168.1.any .

i am attaching the diagram for more explanation.

Re: natting

vijayasankar — Tue, 30 Jan 2007 10:39:10 GMT

Hi,

As stated earlier, when you have used the outside ip to static nat and forward a particular port,

you can further use the same outside to redirect other ports to your inside hosts/server.

However i dont think you can use that outside ip to do a one to one NAT to another inside host.

When you have,

static (inside,outside) tcp 1.1.1.1 420 192.168.1.1 420 netmask 255.255.255.255

You can have,

static (inside,outside) tcp 1.1.1.1 80 192.168.1.2 80 netmask 255.255.255.255

But not,

static (inside,outside) 1.1.1.1 192.168.1.10 netmask 255.255.255.255

-VJ

Re: natting

zulqurnain — Tue, 30 Jan 2007 12:19:38 GMT

Thank VJ,

I got your point, but still i think my question is not clear enough. anyways here is another try to it, as you can see in the diagram i ve attached

When the server tries to establish session to 192.168.1.1 using faked IP e.g. 10.10.10.10, coming through the vpn tunnel on PIX.

Then pix should further translates his IP i.e 10.10.10.10 to e.g. IP 45.54.45.54 and then it should connect to Host IP 192.168.1.1

And when 192.168.1.1 reply back to 1.1.1.1 the PIX should change translate back 45.54.45.54 to 10.10.10.10 which 1.1.1.1 actually tried connecting to.

Hope it's clear enough.

Re: natting

vijayasankar — Tue, 30 Jan 2007 12:27:20 GMT

Hi,

Sorry...Im totally lost here on understanding your requirement.

To make this easy for me, Kindly explain me again with your diagram/ip addresses mentioned on the diagram along with your existing configuration in PIX.

-VJ

Re: natting

zulqurnain — Tue, 30 Jan 2007 17:58:10 GMT

VJ,

All i want to do is that PIX should allow Host-A to connect, then PIX should change the Host-A Source from 1.1.1.1 to 10.10.10.10 and should tell Host-A to connect to Host-B (192.168.1.1)

the same should happen when Host-B reply, Then PIX should change back 10.10.10.10 to 1.1.1.1.

In short, Traffic coming to the PIX through this tunnel from Host-A, PIX should change the source to 10.10.10.10 and should tell Host-A how to connect to Host-B as 10.10.10.10

Hope anyone can solve this.