topic Re: Pix501 nat config question in Network Security

Pix501 nat config question

kennis1977 — Mon, 11 Mar 2019 17:15:35 GMT

Hi Guys,

Im new in the pix world,now i just bought a pix501 firewall.. great thing..however..

I don't get a connection with nat to work...

I have the next situation..

outside address=192.168.1.254 /24 gateway address=192.168.1.1

inside address-172.16.250.253/24

Now i use the setup wizard to configure the pix... i want to add a dynamic nat role first

but i read somewhere on the internet that the pix is doing nat already by default from the inside

addresses to the outside adapter.

if this is true.. why can't i get any connection the the internet? i can also not ping 192.168.1.1

by the access roles everything is still default,so permit any any..

Can somebody give me a hint?

Thanks

Re: Pix501 nat config question

Jon Marshall — Sat, 27 Feb 2010 20:18:14 GMT

kennis1977 wrote:

Hi Guys,

Im new in the pix world,now i just bought a pix501 firewall.. great thing..however..

I don't get a connection with nat to work...

I have the next situation..

outside address=192.168.1.254 /24 gateway address=192.168.1.1

inside address-172.16.250.253/24

Now i use the setup wizard to configure the pix... i want to add a dynamic nat role first

but i read somewhere on the internet that the pix is doing nat already by default from the inside

addresses to the outside adapter.

if this is true.. why can't i get any connection the the internet? i can also not ping 192.168.1.1

by the access roles everything is still default,so permit any any..

Can somebody give me a hint?

Thanks

Pix by default will allow traffic from the inside to the outside but it won't automatically do not NAT. You need to add this -

nat (inside) 1 172.16.250.0 255.255.255.0

global (outside) 1 interface

this will nat all source addresses of 172.16.250.x to the outside interface address ie. 192.168.1.254.

Couple of additional things -

1) you will need to allow ICMP ie. ping back in on the outside interface because ICMP is not stateful

2) 192.168.1.254 is still not an internet routable address but i'm assuming either

i) you have changed the IP address for this post

ii) your traffic is Natted again somewhere upstream

Jon

Re: Pix501 nat config question

kennis1977 — Sun, 28 Feb 2010 12:58:55 GMT

Hi Jon,

Thanks for your reply!!

Ok...so i still need to configure NAT.. i will try that first..

and indeed the address 192.168.1.254 is a gateway that is als Natting to the outside internet (this is a Dsl modem).

Before i had just a router that was Natting also behind this modem and this was working either. so nat behind nat...

I just want to replace the router by the pix.

I give you a reply back if it's going to work... thanks

Ken

Re: Pix501 nat config question

kennis1977 — Sun, 28 Feb 2010 14:10:50 GMT

Hi Jon,

I tried the config on my pix and it works!!!! GREAT..

However i have still one question...

we also talked about icmp allowing from the outside to the inside network..

When im making a Acess-rule that permit icmp packets from the outside to the inside network it also asks for a nat role to define..(logical)

but when im insert this nat role... its not going right...can still not ping and also my connection to the outside world is gone...

Can you perhaps give me again an example on how to configure it..? that will be great....

Thanks again...

Re: Pix501 nat config question

Kureli Sankar — Sun, 28 Feb 2010 21:00:25 GMT

I am clear as to what you are trying to configure now.

When the inside to outside access works, adding icmp to be allowed on the outside acl breaks inside to outside access?

Need the output of

sh nat

sh access-group

sh access-list | i icmp

-KS

Re: Pix501 nat config question

kennis1977 — Sun, 28 Feb 2010 21:34:36 GMT

ehhm when i add a new role to permit icmp from the outside to the inside network, i cannot access the internet anymore....

but the role any any that is defined now can you just edit this one for some ports? or do i have to make a new one then..and remove the any any role?

anyway... here is my sh nat:

nat (inside) 1 172.16.250.0 255.255.255.0 0 0

sh access-group is nothing...

sh access-list | i icmp: is also nothing...

Re: Pix501 nat config question

Kureli Sankar — Mon, 01 Mar 2010 03:06:26 GMT

Jon had given you the following:

nat (inside) 1 172.16.250.0 255.255.255.0

global (outside) 1 interface

Now if you want to allow icmp then you need an access-list line and then an access-g line to apply the access-list to the outside interface.

access-list outside-acl permit icmp any any

access-group outside-acl in int outside

Once done you can ping from the inside and get a response. Make sure the inside is higher level security than the outside.

-KS

Re: Pix501 nat config question

kennis1977 — Mon, 01 Mar 2010 13:42:33 GMT

Ok makes sense...

Im going to try this... thanks i keep you posted...

Re: Pix501 nat config question

kennis1977 — Wed, 03 Mar 2010 18:19:41 GMT

Hi,

Great again!!! this is also working...

I think i can use the same rule with all different ports from the outside network..?

Thanks for you're help all...

Re: Pix501 nat config question

kennis1977 — Fri, 05 Mar 2010 18:49:32 GMT

Ah one more question...

Ok... so i now have a dynamic nat rule for my host on the inside.. great...

however i want also to open some ports to access from the outside (like www for example)

i found on the internet some rules how to do it:

were the x.x.x.x is my outside ip address

access-list outside_access_in permit tcp any host x.x.x.x eq 80

static (inside,outside) x.x.x.x 172.16.250.24 netmask 255.255.255.255 0 0

This is working also... but then its only possible to go to the internet from ip address 172.16.250.24

and all the others are blocked...

so do i always need a static nat rule when i want to open a port from the outside? or can i do it also different?

Thanks

Re: Pix501 nat config question

Kureli Sankar — Fri, 05 Mar 2010 19:06:49 GMT

You cannot do this

static (inside,outside) x.x.x.x 172.16.250.24 netmask 255.255.255.255 0 0

pls. change that line to this

static (inside,outside) tcp interface 80 172.16.250.24 80 netmask 255.255.255.255 0 0 --> static pat

If you use the IP address of the outside interface and do a 1-1 NAT instead of PAT, you will see what you are seeing.

-KS

Re: Pix501 nat config question

kennis1977 — Fri, 05 Mar 2010 19:36:15 GMT

You're really great!!! hahahaha

Works again..... perfect!!!

Thanks for you're reply....