topic Re: PAT / NAT and Inbound/Outbound - Can I do this? in Network Security

PAT / NAT and Inbound/Outbound - Can I do this?

mhcraig — Mon, 11 Mar 2019 17:45:49 GMT

This is a separate question that is a follow up to one that was answered:

Help with: Deny TCP (no connection)

https://supportforums.cisco.com/thread/2016571

Unfortunately that solution - by PATing all source addresses coming in from the outside to ensure the request is sent back out that same PIX - wreaks havoc on the dynamic translation rules. Note the PATing is a temporary solution to be used during this ISP move/renumbering.

So I have this configured: Allows client behind an interface dynamic translation using the specified outside IP.

global (outside) 30 64.123.111.4

global (outside) 20 64. 123.111.3

global (outside) 10 64. 123.111.2

nat (eth2) 20 10.1.0.0 255.255.224.0

nat (eth1) 10 10.0.0.0 255.255.224.0

nat (eth3) 30 10.100.0.0 255.255.224.0

It works well but when I PAT everything (add the 2 lines below) – it does fix the problem answered in my other post but “breaks” the above and I see “no translation group found” Syslog messages:

global (eth3) 1 64. 123.111.1

nat (outside) 1 0.0.0.0 0.0.0.0 outside

Is there a way I can have the best of both worlds?

Thanks,

-h

Re: PAT / NAT and Inbound/Outbound - Can I do this?

Jennifer Halim — Fri, 14 May 2010 22:45:14 GMT

Yes, assuming that eth3 has higher security level than outside, you would also need to configure NAT exemption on eth3 interface.

Let's assume that eth3 subnet is 200.1.1.0/24. The following config needs to be done:

access-list eth3-nonat permit ip 200.1.1.0 255.255.255.0 any

nat (eth3) 0 access-list eth3-nonat

Further just to clarify the following 2 commands configured:

global (eth3) 1 64. 123.111.1

nat (outside) 1 0.0.0.0 0.0.0.0 outside

The above configuration is configured as you would like any ip addresses from the outside subnet (Internet I assume) to be PATed to 64.123.111.1 when they are accessing eth3 subnet (200.1.1.0/24 - as per the above assumption)? Is this a correct assumption? If it is, then the NAT exemption above should resolve the issue.

Hope that helps.

Re: PAT / NAT and Inbound/Outbound - Can I do this?

mhcraig — Mon, 17 May 2010 14:15:35 GMT

Thanks for the reply but I'm still not having any luck. I've tried altering the nonat ACL and I can't seem to have the both situations work simulataneously:

Situation:
Web server is behind eth-poy: 10.100.2.10
Statically mapped to the outside eth-isp: 1.1.1.1
Host Servers use: 10.100.1.0/24
eth-isp = 2.2.2.2/26 (Internet)

eth-poy = 10.100.0.0/19

Goal:
1. Allow hosts behind eth-poy to access the internet using eth-isp sharing a single IP

AND simultaneously...
2. Allow web servers behind eth-poy to utilize their static mappings when people access them from the internet

What is happening is that the static rules are working but I'm still seeing "no translation group found for tcp src eth-poy:10.100.1.100..." when I try to access the internet from one of the hosts behind eth-poy.

Here is what I have currently:
access-list acl_exempt_eth_poy_nonat permit ip 10.100.0.0 255.255.224.0 any
nat (eth-poy) 0 access-list acl_exempt_eth_poy_nonat
nat (eth-isp) 1 0.0.0.0 0.0.0.0 outside
global (eth-poy) 1 2.2.2.1
static (eth-poy,eth-isp) 2.2.2.10 10.100.2.10 netmask 255.255.255.255

Note: I've tried adjusting the ACL to include only those hosts in the 10.100.2.0/24 range and alternatively the 10.100.1.0/24 range but no luck.

What am I doing wrong?

Many thanks,

-h

Re: PAT / NAT and Inbound/Outbound - Can I do this?

mhcraig — Tue, 18 May 2010 20:54:02 GMT

Just to answer your *specific* question - YES your assumption is correct.

In addition though, I would like hosts behind eth3 to access the internet using a single IP (can be different than the one used for the PATing.

Any ideas why I'm seeing this syslog message:

"no translation group found for tcp src eth-poy:10.100.1.100..."

..and the hosts can't access the internet?

Thanks,

-h