topic Policy NAT in Network Security

Policy NAT

samuel_yip — Mon, 11 Mar 2019 09:11:00 GMT

Hi,

I have an situation with Policy NAT. I need to configure such that

1. client (outside) from 192.168.28.0 255.255.255.0 to global addr 10.1.1.1 will be translated to inside 172.16.1.1

2. client (outside) from 192.168.30.0 255.255.255.0 to global addr 10.1.1.1 will be translated to inside 172.16.1.2

I tried to use the following config but was reject but the PIX (7.2)

pix(config) access-list NET1 permit ip host 172.16.1.1 192.168.28.0 255.255.255.0

pix(config) access-list NET1 permit ip host 172.16.1.2 192.168.30.0 255.255.255.0

static (inside,outside) 10.1.1.1 access-list NET1.

the error I received was:

ERROR: access-list used in static has different local addresses

Anyone can advise if this config is possible?

Re: Policy NAT

cbeswick — Tue, 19 Dec 2006 10:46:16 GMT

Im not 100% sure about this, but if your natting from the outside in shouldn't your static command be:

static(outside,inside) 10.1.1.1 access-list NET1 ?

The static command has to be done in order of "pre nat" interface then "post nat" interface, this may not necessarily be inside then outside.

Re: Policy NAT

samuel_yip — Tue, 19 Dec 2006 12:49:30 GMT

I think nothing wrong with the natting.

Pls check out

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/cfgnat.htm#wp1042553

Under the Policy static nat, you will find the config similar to what I have configured. But I need more than to create an addition static entry for another inside host.

Re: Policy NAT

jgervia_2 — Wed, 20 Dec 2006 03:22:07 GMT

Hello CCIE,

Your issue is that statics are set up as followed:

static (real interface, mapped interface) mapped IP address, real ip address

When using an access list, it goes

static (real interface, mapped interface) mapped IP address, access-list defining real ip address traffic.

In your case, you access-list would be incorrect:

access-list NET1 permit ip 192.168.28.0 255.255.255.0 host 10.1.1.1

access-list NET2 permit ip 192.168.30.0 255.255.255.0 host 10.1.1.1

Which defines the real traffic (access-list is evaluated first before nat)

As well as your static being backwards:

static (real, mapped) mapped real

static (outside,inside) 172.16.1.1 access-list NET1

static (outside,inside) 172.16.1.2 access-list NET2

because technically, the 'mapped' ip address is on the inside

Assuming that your statements number 1 and 2 above, are correct, as summarized below:

192.168.28.0/24 going to 10.1.1.1 --> src address of 192.168.28.0/24 gets translated to 172.16.1.1

192.168.30.0/24 going to 10.1.1.1 --> src address of 192.168.30.0/24 gets translated to 172.16.1.2

Giving cbeswick some points, because he was technically correct, your static statement was backwards from what you stated your requirements were in 1. and 2.

As always, do a 'clear xlate' after making nat changes so that they can be rebuilt properly

--Jason

Please rate this message if it solved some or all of your issue.

Re: Policy NAT

samuel_yip — Wed, 20 Dec 2006 06:21:37 GMT

Hi Jason,

You do not understand my requirement. If is so simple, I will not need to post it. I don't get CCIE for nothing. Btw, I prefer u address me as Samuel.

I need to translated the destination address when clients source from 192.168.28.0/24 access global addr 10.1.1.1, which means 10.1.1.1 will be translated to 172.16.1.1 and not the client ip.

If I need to translate the source, nat outside or static outside will have serve my purpose.

Sorry if you misunderstand my requirement, no points for you.

Thanks for putting in the efforts.

Rdgs

Samuel

Re: Policy NAT

john.stephens — Wed, 20 Dec 2006 15:16:22 GMT

Samuel,

It seems like others are on the right track, but that we aren't fully understanding what you really need to accomplish here. I might not be understanding it either, but I'm going to give it a shot anyway.

Traffic is initiated from the outside subnets of 192.168.28.0 and 192.168.30.0. These are the source IP's and you do not need to do any source NAT. Correct so far? You do need to translate both destinations 172.16.1.1 and 172.16.1.2 to the same global address of 10.1.1.1, according to how it matches the access-list. If I'm still correct, the problem with this is going to be if traffic from the 192.168.28.0 and 192.168.30.0 both try to establish connections at the same time, I believe only one of the static translations will be built. The configuration you have going so far is for policy static NAT, not policy static PAT. This is what I think the commands should be so far,

static (inside,outside) 10.1.1.1 access-l NET1

access-l NET1 permit ip 192.168.28.0 255.255.255.0 host 172.16.1.1

access-l NET1 permit ip 192.168.30.0 255.255.255.0 host 172.16.1.2

I don't think this will work for simultaneous inbound connections, the PIX will build the first translation that matches the access-list and 10.1.1.1 will be persistently translated to only 1 internal IP until the translation is torn down. Using static PAT in your configuration will allow the single global to map to the different internals, but then you won?t be able to define a policy to match. Will the inbound connections for 172.16.1.1 and 172.16.1.2 being using the same service ports? If not, they you could go back to the simpler configuration of something like this to make it use the PAT translation and utilize access-list to control the access.

static (inside,outside) tcp 10.1.1.1 www 172.16.1.1 www

static (inside,outside) tcp 10.1.1.1 https 172.16.1.2 https

I really don't think this was your goal, but it's the only way I could image it might work. If I?m wrong here and someone finds a config that will make this work, with policy nat, it will interesting to learn about.