topic pix nat problem in Network Security

pix nat problem

mickyq — Tue, 12 Mar 2019 04:02:36 GMT

Hi Guys

ive created a policy nat on a pix 515E.

Im trying to nat a group of ip's from the outside to a pat on the inside.

I can see packets hitting a capture on the outside but nothing on an inside capture.

As an example I want 10.1.1.1 to go through from the outside to the inside on pat 172.16.10.10

config:

object-group network VMWARE-MGMT
network-object host 10.1.1.1

object-group network VMWARE-HOSTS
network-object host 172.16.5.10

object-group service VMWARE-TCP tcp
port-object eq 902
port-object eq 903
port-object eq 22
port-object eq 443

access-list 101 permit tcp object-group VMWARE-MGMT object-group VMWARE-HOSTS object-group VMWARE-TCP

access-group 101 in interface outside

access-list acl_vmware permit tcp object-group VMWARE-MGMT object-group VMWARE-HOSTS object-group VMWARE-TCP

nat (outside) 10 access-list acl_vmware

global (inside) 10 172.16.10.10

route inside 172.16.0.0 255.255.0.0 172.16.1.1

172.16.1.1 is the next hop (router). Is there something wrong with the nat?

thanks

naveenrawat007 — Mon, 07 Apr 2014 19:25:24 GMT

Hi michael,

what you are trying to do is dynamic pat, and in this we can't specify the source port.

Please try not using port in the ACL

access-list acl_vmware permit tcp object-group VMWARE-MGMT object-group VMWARE-HOSTS object-group VMWARE-TCP

instead of this use ip based classification to classify the source to be patted

It is so because this is dynamic PAT that you are using so you cant specify source port on this.

so instead of above use:

access-list acl_vmware permit ip object-group VMWARE-MGMT object-group VMWARE-HOSTS

Please rate if helpful

cheers

Naveen

mickyq — Tue, 08 Apr 2014 10:38:28 GMT

Thanks Naveen, I beleive that fixed the issue.

I did still had problems until I created a no nat for the return traffic. I just couldnt see what was going on with the PIX.

Thanks again. much appreciated.