topic Re: Cisco Pix 501 - NAT / ACL in Network Security

Cisco Pix 501 - NAT / ACL

00uxd140f5Tn1UtQn5d6 — Thu, 10 Jun 2021 21:09:51 GMT

Hi,

The Pix 501 that has been in place for quite some time acting as a firewall between two LANs

LANA - ip address outside 192.168.45.241 255.255.255.0
LANB - ip address inside 192.168.44.240 255.255.255.0

This config has worked ok as devices in each LAN have two way communication. There is a desire now for devices in LANA to be able to communicate with a gateway in LANB to reach the internet. The current access lists / NAT statements are:

access-list inside_out permit ip LANB LANA
access-list outside_in permit ip LANA LANB

nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0 0 0
static (inside,outside) 192.168.44.0 192.168.44.0 netmask 255.255.255.0 0 0

I am unsure of how to make this work for clients in LANA be able to reach the gateway 192.168.44.237 in LANB and onward to the internet. I think I need to NAT any connections from LANA that are destined for the internet to be behind the inside interface address of 192.168.44.240 and ajust the access list to allow this traffic. My proposed access list would be to add:

access-list inside_out permit ip any LANA
access-list outside_in permit ip LANA any

I am unsure of how the NAT statements would need to be modified to masquerade the LANA clients behind the interface address 192.168.44.240 to be able to reach the internet.

There is an IP route for:

route inside 0.0.0.0 0.0.0.0 192.168.44.237 1

Thanks for any pointers.

Re: Cisco Pix 501 - NAT / ACL

balaji.bandi — Thu, 10 Jun 2021 21:36:57 GMT

LANA - ip address outside 192.168.45.241 255.255.255.0 - why this address required to be outside ?

is this IP address from ISP ?

Re: Cisco Pix 501 - NAT / ACL

00uxd140f5Tn1UtQn5d6 — Thu, 10 Jun 2021 21:46:16 GMT

It is just the way it has been setup. The address is not from the ISP. Internet is reachable via the gateway 192.168.44.237 which is another router.

Re: Cisco Pix 501 - NAT / ACL

balaji.bandi — Thu, 10 Jun 2021 21:51:02 GMT

what is that router, is that other router able to do NAT Translation or you like to NAT translation on PIX (12+years lost touch, but i will try see recap my knowledge here)

Re: Cisco Pix 501 - NAT / ACL

00uxd140f5Tn1UtQn5d6 — Fri, 11 Jun 2021 07:10:54 GMT

The other router is the ISP gateway. It only knows about the 192.168.44.0/24 network. I think Nat would need to be done on the Pix to masquerade 192.168.45.0/24 behind 192.168.44.240 interface address when traffic is destined for the Internet as this would be accepted by the upstream router.

Thanks.

Re: Cisco Pix 501 - NAT / ACL

balaji.bandi — Fri, 11 Jun 2021 09:13:48 GMT

if you like to do the NAT on PiX Look at the below example : (test and advise)

nat (inside) 1 192.168.44.0 255.255.255.0   
global (outside) 1 192.168.45.241

https://www.cisco.com/en/US/docs/security/pix/pix42/configuration/guide/pix42exs.html