topic Please help with a PIX NAT problem in Network Security

Please help with a PIX NAT problem

chansh — Fri, 21 Feb 2020 08:00:49 GMT

Hi All,

Really need help with this.

I have a switch that has a public ip address (192.168.0.2), that I would like to manage from the private ip address (10.0.0.5).

I would like to be able to telnet to 10.0.1.5 which would be the NATed ip address of the switch.

Here is the config:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

name 10.0.1.5 Switch_A_NAT

name 192.168.0.2 Switch_A

access-list outside_access_in deny ip any any log

access-list inside_access_in permit tcp 10.0.0.0 255.255.255.0 host 10.0.1.5 eq telnet

access-list inside_access_in permit tcp 10.0.0.0 255.255.255.0 host 192.168.0.2 eq telnet

ip address outside 192.168.0.1 255.255.255.224

ip address inside 10.0.1.15 255.255.255.192

static (outside,inside) 10.0.1.5 192.168.0.2 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

Error received:

305005: No translation group found for tcp src inside:10.0.0.5/3534 dst outside:10.0.1.5/23

Re: Please help with a PIX NAT problem

mhussein — Tue, 15 Mar 2005 13:57:22 GMT

Even with "outside nat" you still need a translation from inside to outside plus an ACL, and the outside nat will be unnecessary in this case.

Try removing the outside static, and translate inside to outside:

nat (inside) 1 10.0.0.5 255.255.255.255

global (outside) 1 192.168.0.30

or, identity nat translation

static (inside, outside) 10.0.0.5 10.0.0.5 netmask 255.255.255.255 0 0

or:

static (inside, outside) 192.168.0.30 10.0.0.5 netmask 255.255.255.255 0 0

ACL outside_access_in is redundant (except for logging behaviour)

Regards,

Mustafa

Re: Please help with a PIX NAT problem

joeqiu2002 — Tue, 15 Mar 2005 14:57:16 GMT

use outside nat

Re: Please help with a PIX NAT problem

layer9 — Fri, 18 Mar 2005 03:42:17 GMT

First I assume the IP addresses you are giving are not the actual addresses, since they are all from the RFC 1918 group. Assuming that and looking at your config, a first glance shows one problem.

Your static NAT mapping is incorrectly stated.

Try these commands

no static (outside,inside) 10.0.1.5 192.168.0.2 netmask 255.255.255.255 0 0

static (inside,outside) 10.0.1.5 192.168.0.2 netmask 255.255.255.255

You have the (inside,outside) statement reveresed.Nothing will work until that is corrected.

Chris Weber CCDP

cw@layer9corp.com

Chris

Re: Please help with a PIX NAT problem

layer9 — Fri, 18 Mar 2005 03:55:46 GMT

Also what is with the Inside Access List? Are you trying to deny certain systems on your network from accessing the Internet?

An access-list applied to the inside Interface of a PIX, Ethernet 1 which has the highest security level is in most cases a moot command, and causes problems in most cases. Traffic from the inside is already by default permitted to the outside, from the higher security interface to the lower is always permitted on the PIX. Applying an access list to this interface can restrict outbound traffic and cause all sorts of headaches. Unless you absolutely have to restrict certain users from accessing the Internet (and even then there are better ways to do this) I would remove the access-list inside from the PIX altoghether.

You basically have the whole thing backwards, not to be critical of course. Your access-list inside is set to permit telnet to the Switch, but it is applied to the INSIDE interface. It needs to be applied to the OUTSIDE interface.

Also you applied an access list to the OUTSIDE interface blocking EVERYTHING!

Type these commands or copy them from here and apply them in Global Config mode.

1. No access-group outside_access_in in interface outside

2. No access-group inside_access_in in interface inside

3. access-group inside_access_in in interface outside

Do this AFTER doing what I told you to do in my first post. You need to correct the STATIC NAT statements first, then set the Access-lists. You can cut and paste my commands from this message directly into your PIX from Global Config Mode.

Regards

Chris Weber CCDP

cw@layer9corp.com

Re: Please help with a PIX NAT problem

layer9 — Fri, 18 Mar 2005 04:04:10 GMT

Oh no, it's me again. You have another problem.

You have your access-lists written incorrectly. You are applying them as if you were permitting the NAT address to the Internal address. You don't need to do this.

If your outside address, the address you have set as the external NAT address of the switch is 10.0.1.5 then your access-list would read as follows.

access-list mysamplelist permit tcp any host 10.0.1.5 eq 23

Then you apply the access list to the outside interface

access-group mysamplelist in interface outside

There, we just rebuilt your PIX in 3 posts.

Regards

Chris Weber CCDP

cw@layer9corp.com