topic Re: NAT help on Pix in Network Security

NAT help on Pix

Andy White — Mon, 11 Mar 2019 19:06:24 GMT

Hello,

I am using a PIX on our test network and I'm trying to get devices on interface "DMZ4_Wireless_PDA" (Ip range 172.25.1.x/24) to communicate with x.x.156.78 which NAT's to a server on the inside interface on 192.168.200.200. Attached is my config but I can't get it to work. The 172.25.1.x range needs to communicate on various ports especially ICMP.

Thanks in advance for your time

Re: NAT help on Pix

Jennifer Halim — Tue, 09 Nov 2010 09:48:00 GMT

There seems to be overlapped with ip address x.x.156.78 on the following:

global (inside) 1 x.x.156.78

nat (outside) 1 192.168.201.0 255.255.255.0

static (inside,DMZ4_Wireless_PDA) x.x.156.78 192.168.200.200 netmask 255.255.255.255

Do you have a need for the nat/global pair?

Also, do you need to ping the public ip address (x.x.156.78) instead of the private ip address (192.168.200.200)? or it doesn't really matter which ip address you ping as long as it's testing the actual server connectivity.

To ping, you would also need to configure inspection for icmp:

policy-map global_policy

class inspection_default

inspect icmp

Re: NAT help on Pix

Dan-Ciprian Cicioiu — Tue, 09 Nov 2010 09:50:51 GMT

Hi Andy ,

By default PIX need to NAT flows from higher security level ( inside 100 ) to lower security level ( DMZ4_Wireless_PDA 20 ).

So the solutions are :

1. configure nat of the inside host to DMZ4 segment

static (inside,DMZ4_Wireless_PDA) 172.25.1.200 192.168.200.200

Allow on the access-list :

access-list DMZ4_Wireless_PDA_access_in permit icmp 172.25.1.0 255.255.255.0 host 172.25.1.200

2. disable this behaviod

no nat-control

Then your configured access-list will work:

access-list DMZ4_Wireless_PDA_access_in extended permit udp 172.25.1.0 255.255.255.0 host 192.168.200.2 eq domain

Dan

Re: NAT help on Pix

Andy White — Tue, 09 Nov 2010 10:27:18 GMT

Hi,

My Pix/ASA knowledge is a bit rusty, but all I need is all the devices on 172.25.1.x/24 to contact x.x.156.78 which is a server on the inside (192.168.200.200). I'm not sure what ot why the global statement is there, what does that do?

x.x156.78 is a public IP, but for the scenario it is a server on the inside and yes I need to ping x.x156.78.

I hope that's a little clearer as my explanation wasn't the best.

Thanks

Re: NAT help on Pix

Jennifer Halim — Tue, 09 Nov 2010 10:41:42 GMT

As far as the NAT statement is concern, you only need the following line:

static (inside,DMZ4_Wireless_PDA) x.x.156.78 192.168.200.200 netmask 255.255.255.255

The nat/global pair as far as I understand does not serve any purpose, and it would be best to remove them as it overlaps with the static NAT statement above:

no global (inside) 1 x.x.156.78

no nat (outside) 1 192.168.201.0 255.255.255.0

Please "clear xlate" after the changes, and also add "inspect icmp" as advised earlier.

Re: NAT help on Pix

Jennifer Halim — Tue, 09 Nov 2010 10:42:33 GMT

And also you need to enable proxyarp for DMZ4_Wireless_PDA interface:

no sysopt noproxyarp DMZ4_Wireless_PDA

Re: NAT help on Pix

Andy White — Tue, 09 Nov 2010 16:29:39 GMT

I believe I have changed the config to match what you said, but I still can't connect to x.x.156.78. I have configured my laptop to 172.5.1.10/24 and added me to the DMZ4_Wireless_PDA interface and tried to ping x.x.156.78 (192.168.200.200) and it fails.

I logged on the ASDM and did an packet trace from 172.25.1.10 to x.x.156.78 using echo-reply and it failed on the NAT-Exempt.

Any ideas what I might be doing wrong? Let me know if you need a fresh config.

Thanks

Re: NAT help on Pix

Andy White — Wed, 10 Nov 2010 10:26:27 GMT

Hello,

Would a fresh config help at all? I can't think why I would need a NAT exempt rule in place can you?

Re: NAT help on Pix

Jennifer Halim — Wed, 10 Nov 2010 10:40:20 GMT

Yes, packet tracer is right.

NAT exemption takes precedence over Static NAT, hence it's failing the static NAT.

The following NAT exemption configuration:

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.201.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 172.25.1.0 255.255.255.0

For testing purposes, I would take out that red line of ACL, "clear xlate", and test it. This should work now.

Then you can configure the following ACL instead to bypass 192.168.200.200 from being exempted:

access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.128 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.200.128 255.255.255.192 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.200.192 255.255.255.248 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.200.201 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.200.202 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.200.203 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.200.204 255.255.255.252 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.200.208 255.255.255.240 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.200.224 255.255.255.224 172.25.1.0 255.255.255.0