topic Re: PIX NAT question.. in Network Security

PIX NAT question..

syancy — Fri, 21 Feb 2020 07:42:19 GMT

I have a pix running 5.1.

These are my current NAT entries.

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 199.1.235.192 192.168.235.192 netmask 255.255.255.255 0 0

static (inside,outside) 199.1.235.135 192.168.235.135 netmask 255.255.255.255 0 0

static (inside,outside) 199.1.235.183 192.168.235.183 netmask 255.255.255.255 0 0

This box has 2 interfaces 1 on the inside and 1 for the outside. The inside is on the 192.168 subnet and the outside is on the 199.1 subnet

Is there any way to add a static entry that is not on the inside subnet?

for example: static (inside,outside) 199.1.235.160 10.210.0.16 netmask 255.255.255.255 0 0

Re: PIX NAT question..

hoangbp — Tue, 26 Oct 2004 00:25:41 GMT

Yes, you can certainly do static translation for hosts on the inside (or any other high security zones) that do not belong to the same subnet of the inside interface(or high security zone). As long as your routing is configured correctly, you can translate addresses behind a firewall interface.

In your example, your inside interface is connected to a L3 switch or router that takes care of routing for the 10.210 subnet. On the PIX, you will need a static route that will route packets destined to 10.210.0.0/16 (i make assumption on the subnet mask)

route inside 10.210.0.0 255.255.0.0

is the IP of the router/L3 switch interface

Hope this helps.

Binh

Re: PIX NAT question..

syancy — Tue, 26 Oct 2004 02:20:36 GMT

Thanks Binh, but I am still confused. if I just add that line " route inside 10.210.0.0 255.255.0.0 " that covers the routing.

What do I do for the host connected to the switch which is connected directly to the PIX. What do I use as the hosts default gateway, how does the host even see the PIX. The host has adress on the 10 net but the interface that it must exit through is on the 192.168 net.

Re: PIX NAT question..

scoclayton — Tue, 26 Oct 2004 12:58:48 GMT

Not to speak for Binh on this one, but I believe there was some confusiuon related to your original post. I did not think you were referring to creating a static translation for a host on another subnet *but* with that host on the same L2 segment as the inside of your PIX. We all assumed you were referring to creating a static translation for a host that was an L3 hop away (meaning, on the other side of a router that was inside the PIX). So, Binh's original reply was correct with our incorrect (it seems anyway) assumption in mind.

Now, back to your problem. There really is no way to accomplish what you are trying to do. In a router scenerio, you would normally add a secondary address to the inside interface and assign it an address from the 10.210.0.0/16 range. However, the PIX does not support secondary addresses. The solution is to add a 2 interface L3 device (router of some sort) and assign it one address from the 10.210.0.0/16 range and another address from the range that the inside of your PIX sits on. With this in place, Binh's post is dead on.

Now, I will say that I have seen some OS's (not sure how they do this) allow you to assign a default gateway that is not in the same subnet as the hosts NIC address. I have no idea how this works as it seems to go against the laws of subnetting but it does work. Never spent much time getting into the ins and outs of which OS's work like this but I thought I would throw it out there.

Good luck and let us know if this is not clear.

Scott

Re: PIX NAT question..

hoangbp — Tue, 26 Oct 2004 13:18:07 GMT

My bad for making the wrong assumption regarding the original issue.

Scott,

Thanks for stepping in and clarify the issue. You are right on!

Binh

Re: PIX NAT question..

fausto-oliveira — Tue, 26 Oct 2004 15:11:52 GMT

What type of pix do you have from 515 towards you can configure VLAN Interfaces, if so you can add a VLAN interface that belongs to the 10.210.0.X network.

Best regards,