topic Re: Natting outside hosts for access to inside hosts on PIX in Network Security

Natting outside hosts for access to inside hosts on PIX

lisbeth.jacobsen — Fri, 21 Feb 2020 08:03:58 GMT

Hi,

I am trying to translate a host coming in over a VPN on a PIX running 6.3(1) with no success.

I have tried a static mapping and also a nat with a global as follows:

nat (outside) 3 10.10.10.0 255.255.255.0 outside 0 0

global (inside) 3 192.168.168.169

or:

static (outside,inside) 192.168.168.169 10.10.10.10 netmask 255.255.255.255 0 0

I have also added access-list statements to allow the natted address (192.168.168.169) in on the external interface

and added routes via the outside interface for the un-natted address

I am not sure if I have the logic right

Re: Natting outside hosts for access to inside hosts on PIX

ehirsel — Fri, 08 Apr 2005 11:15:28 GMT

Does the vpn connection terminate on the pix, or is it just passing thru the pix to an inside vpn gateway?

Re: Natting outside hosts for access to inside hosts on PIX

lisbeth.jacobsen — Fri, 08 Apr 2005 12:38:25 GMT

It terminates on the PIX

Re: Natting outside hosts for access to inside hosts on PIX

bhatok — Fri, 08 Apr 2005 19:39:21 GMT

I'm not sure if I follow what you are trying to do but here is my take. You have users connecting to your network via a VPN to your PIX. Once connected your users are given 192.168.168.169 as their address. These users cannot access resources behind the PIX.

If your users are successfully connecting to the VPN and their VPN IP is 192.168.168.169. You can create an access-list to allow this IP access to your internal network:

access-list 105 permit ip 10.10.10.0 255.255.255.0 192.168.168.169 255.255.255.255

nat (inside) 0 access-list 105

Now the VPN user with IP 192.168.168.169 is granted access to 10.10.10.0 (your internal network).

Re: Natting outside hosts for access to inside hosts on PIX

lisbeth.jacobsen — Fri, 08 Apr 2005 23:05:49 GMT

Let me clarify.

I have a vpn user coming in with a 10.x.x.x/24 address which I want to translate to a 192.x.x.x/24 address for access to another 172.x.x.x address on my internal network

My problem is that I am not doing the natting correctly and the vpn user continues to be seen with a 10.x.x.x address

Re: Natting outside hosts for access to inside hosts on PIX

ehirsel — Thu, 14 Apr 2005 11:06:10 GMT

Try this:

Create these access-lists:

access-list vpn_innat_01 permit ip 10.x.y.0 255.255.255.0 172.a.b.c 255.sm.sm.sm

access-list vpn_outnat_01 permit ip 172.a.b.c 255.sm.sm.sm 192.168.y.0 255.255.sm.sm

Create these statics:

static (out, in) 192.168.y.0 access-list vpn_innat_01

static (in, out) 172.a.b.c access-list vpn_outnat_01

You may need to also add an entry to the acl applied to the outside interface to allow the vpn connections to access the 172.x.x.x addresses unless you have the sysopt permit-ipsec option set.

Try these and let us know how it proceeds.

The acls and statics that I am having you enter allow the vpn connections to get nat'ed when accessing the 172.x.x.x hosts and allow addressability of those hosts to the vpn users. If you already have a static (in. out) 172.x.x.x 172.x.x.x statement already do not add the static (in, out) that I specified as it is already present.

These only work if you are running pix 6.3.3 code or higher.