topic Re: nat problems in Network Security

nat problems

roussillon — Mon, 11 Mar 2019 14:03:25 GMT

Hi everybody.

Having used iptables and sofware firewall (like astaro) in the past , now I 'am tring to understand nat on a pix 6.3

I'm tring to redirect conexions to ports on externals ip addresses to a server with an internal ip I mean:

the connexion to 212.44.229.2:ssh most be redirected to 192.168.229.2:ssh ip

the connexion to 212.44.229.3:80 most be redirected to 192.168.229.2:80 ip

the connexion to 212.44.229.4:25 most be redirected to 192.168.229.2:25 ip

I did this configuration but only the ssh redirection works.

interface gb-ethernet1 vlan229 logical

nameif vlan229 local security95

ip address local 192.168.229.254 255.255.255.0

name 192.168.229.2 lenovo

access-list outside_access_in permit tcp any host 212.44.229.2 eq ssh

access-list outside_access_in permit tcp any host 212.44.229.2 eq www

access-list outside_access_in permit tcp any host 212.44.229.2 eq smtp

ip address local 192.168.229.254 255.255.255.0

pdm location 212.44.229.2 255.255.255.255 outside

pdm location 212.44.229.3 255.255.255.255 outside

pdm location 212.44.229.4 255.255.255.255 outside

pdm location lenovo 255.255.255.255 local

pdm location 192.168.229.0 255.255.255.255 local

global (outside) 2 interface

nat (inside) 2 0.0.0.0 0.0.0.0 0 0

nat (local) 2 192.168.229.0 255.255.255.0 0 0

static (outside,local) tcp lenovo ssh 212.44.229.2 ssh netmask 255.255.255.255 0 0

static (outside,local) tcp lenovo www 212.44.229.3 www netmask 255.255.255.255 0 0

static (outside,local) tcp lenovo smtp 212.44.229.4 smtp netmask 255.255.255.255 0 0

static (local,outside) 212.44.229.2 lenovo netmask 255.255.255.255 0 0

but only th ssh conexion over 212.44.229.2 is routed to 192.168.229.2

I have red about nat on pix but this case is not clear to me.

Any idea? thanks to you all

Re: nat problems

Collin Clark — Mon, 27 Oct 2008 14:58:19 GMT

Cisco's NAT terminology can be weird at times.

Setting up a NAT Port Translation

static (local,outside) tcp 22 212.44.229.2 192.168.229.15 22 netmask 255.255.255.255

Setting up a NAT translation (all ports & protocols)

static (local,outside) 212.44.229.2 192.168.229.15 netmask 255.255.255.255

It looks like most of your NATs are backwards.

Here's a little HOW-TO on NAT's (look for NAT)-

http://www.packetpros.com/wiki/index.php/Cisco

Hope that helps.

Re: nat problems

roussillon — Mon, 27 Oct 2008 16:19:48 GMT

yes your are rigth , that is awesome they are backward. btu I created them PDM how is taht possible?

Well I fix the nat rule but I can not make the acl rule

it tell me: no communication is allowed between two interfaces wich have the same security level.

the external interface of the pix is not in network 212.44.229.0/24 but in all net devices a route point network 212.44.229.2 to be accessed via the pix. The pix thinks that network 212.44.229.0/24 is in the outside interface.

Is that a new problem?

Thanks

Re: nat problems

Collin Clark — Mon, 27 Oct 2008 16:29:28 GMT

do you have a simple diagram with interface names?

Re: nat problems

roussillon — Mon, 27 Oct 2008 22:47:23 GMT

Hy, this is the schema.

My ISP route the 212.44.229.0/24 to my PIX

INTERNET

ROUTER(ip route 212.44.229.0/24 via le pix)

______________________

|outside (gb-ethernet0)|

| |

| PIX |

| |

|inside (gb-ethernet1) |

|local (vlan229) |

|local (vlan228) |

|______________________|

|--192.168.229.0/24 (vlan229)

|--129.168.228.0/24 (vlan228)

Thank you very much.

Re: nat problems

roussillon — Tue, 28 Oct 2008 11:39:57 GMT

hi, you all

now I have changed my conf as follow:

interface gb-ethernet1 vlan229 logical

interface gb-ethernet1 vlan230 logical

nameif gb-ethernet0 outside security0

nameif gb-ethernet1 inside security100

nameif vlan229 local security95

access-list outside_access_in permit tcp any host 212.44.229.3 eq www

access-list outside_access_in permit tcp any host 212.44.229.4 eq smtp

access-list outside_access_in permit tcp any host 212.44.229.2 eq ssh

access-list inside_nat0_outbound permit ip any 192.168.229.192 255.255.255.192

ip address local 192.168.229.254 255.255.255.0

pdm location 212.44.229.2 255.255.255.255 outside

pdm location 212.44.229.3 255.255.255.255 outside

pdm location 192.168.229.0 255.255.255.255 Admin

pdm location 192.168.229.192 255.255.255.192 Admin

pdm location 212.44.229.4 255.255.255.255 outside

pdm location 192.168.229.2 255.255.255.255 Admin

global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 0.0.0.0 0.0.0.0 0 0

nat (local) 2 192.168.229.0 255.255.255.0 0 0

static (local,outside) tcp 212.44.229.3 www 192.168.229.2 www netmask 255.255.255.255 0 0

static (local,outside) tcp 212.44.229.4 smtp 192.168.229.2 smtp netmask 255.255.255.255 0 0

static (local,outside) tcp 212.44.229.2 ssh 192.168.229.2 ssh netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

But, with no result either.

I do not want to come back to astaro firewall as I have a pix now and logically a pix is made for firewalling.

Any help please??

Re: nat problems

Collin Clark — Tue, 28 Oct 2008 13:22:35 GMT

In the config above, the interface name is inside and outside, but in your statics, they are outside and local. They have to match, is the trusted interface named local or inside?

Re: nat problems

roussillon — Tue, 28 Oct 2008 13:35:19 GMT

Hi, thanks.

Yes, but if you read carefully you will see this two lines too.

interface gb-ethernet1 vlan229 logical

nameif vlan229 local security95

so I can use local, am I rigth? or the nat rules are not possible over logical interfaces?

thanks again

Re: nat problems

Collin Clark — Tue, 28 Oct 2008 13:42:38 GMT

You can use anything you like so that's not a problem. Can you post a full sanitized config?

Re: nat problems

roussillon — Wed, 29 Oct 2008 11:54:10 GMT

Hi you all.

I have made some changes and now NAT works. But there are several problemes. The PDM does not take into account my ACL it tell me this rule is null. After doing a translation I tested with an access rule and it's true my acces list is taged with (null rule) so I cannot filter.

Exemple of acl:

access-list outside_access_in permit tcp any host 212.x.x.3 eq www

Here is the config:

interface gb-ethernet0 1000auto

interface gb-ethernet1 1000auto

interface gb-ethernet1 vlan1000 physical

interface gb-ethernet1 vlan229 logical

nameif gb-ethernet0 outside security0

nameif gb-ethernet1 inside security100

nameif vlan229 local security95

enable password the_password encrypted

passwd the_password encrypted

hostname pix

names

name 192.168.229.2 lenovo

access-list inbound permit tcp any host 192.168.225.55

access-list inbound permit tcp host 192.168.225.51 any

access-list outside_access_in permit icmp any any

access-list outside_access_in permit tcp any host 212.44.229.2 eq ssh

access-list outside_access_in permit tcp any host 212.44.229.3 eq www

access-list inside_nat0_outbound permit ip any 192.168.229.192 255.255.255.192

pager lines 24

logging on

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 212.x.x.2 255.255.255.0

ip address inside 192.168.254.254 255.255.255.0

ip address local 192.168.229.254 255.255.255.0

pdm location 212.x.x.2 255.255.255.255 outside

pdm location 212.x.x.3 255.255.255.255 outside

pdm location 192.168.229.0 255.255.255.255 local

pdm location 212.x.x.4 255.255.255.255 outside

pdm location lenovo 255.255.255.255 local

pdm location 192.168.229.192 255.255.255.192 local

pdm location 192.168.229.192 255.255.255.192 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 0.0.0.0 0.0.0.0 0 0

nat (local) 2 lenovo 255.255.255.255 0 0

static (local,outside) tcp 212.44.229.2 ssh lenovo ssh netmask 255.255.255.255 0 0

static (local,outside) tcp 212.44.229.3 www lenovo www netmask 255.255.255.255 0 0

static (local,outside) tcp 212.44.229.4 2525 lenovo smtp netmask 255.255.255.255 0 0

static (local,outside) tcp 212.44.229.5 www lenovo 8080 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 212.44.228.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server LOCAL protocol local

aaa authentication secure-http-client

http server enable

floodguard enable

console timeout 0

terminal width 80

: end

Thanks you all

Re: nat problems

Collin Clark — Wed, 29 Oct 2008 13:33:36 GMT

A null rule indicates that an access rule was configured for a host that is not visible on another interface. This rule is null because no traffic can flow between these two hosts even though the access rule would permit it.

Your ACL should look like this-

access-list outside_access_in permit icmp any any

access-list outside_access_in permit tcp any host 212.44.229.2 eq ssh

access-list outside_access_in permit tcp any host 212.44.229.3 eq www

access-list outside_access_in permit tcp any host 212.44.229.4 eq 2525

access-list outside_access_in permit tcp any host 212.44.229.5 eq www

You may have to remove the rule from the interface to edit it.

Re: nat problems

roussillon — Wed, 29 Oct 2008 14:18:01 GMT

Hy, thanks.

My rules already are like this.:

access-list outside_access_in permit tcp any host 212.44.229.2 eq ssh

access-list outside_access_in permit tcp any host 212.44.229.3 eq www

Re: nat problems

roussillon — Wed, 29 Oct 2008 17:21:49 GMT

Hi,

I am always at the same point, y cannot make acces rules work (after have made nat work )car the pdm tells me (null rule).

Can someone tell me wath is wrong with my config?

thanks

Re: nat problems

roussillon — Thu, 30 Oct 2008 13:34:38 GMT

Hi.

after doing some tests I arrive to the following conclusion.

connexion to 212.44.229.2:ssh redirect to 192.168.229.2:ssh

connexion to 212.44.229.3:80 redirect to 192.168.229.2:80

connexion to 212.44.229.4:25 most be redirect to 192.168.229.2:25

this type of config does not work properly cause it does not permit manage acces-list(null rule).

I tested this:

connexion to 212.44.229.2:ssh redirect to 192.168.229.2:ssh

connexion to 212.44.229.3:80 redirect to 192.168.229.3:80

connexion to 212.44.229.4:25 redirect to 192.168.229.4:25

that work well cause it allows me to manage acces-list to the destination hosts. This mean that in my server interface I have to add an ip alias for each external ip I want to use.

I can even do:

connexion to 212.44.229.3:80 redirect to 192.168.229.3:8080

mi conf looks like this(from my last test):

access-list outside_access_in permit tcp any host 212.44.229.3 eq www

access-list outside_access_in permit tcp any host 212.44.229.2 eq ssh

access-list outside_access_in permit tcp any host 212.44.229.2 eq smtp

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (local) 1 0.0.0.0 0.0.0.0 0 0

static (local,outside) tcp 212.44.229.2 ssh lenovo ssh netmask 255.255.255.255 0 0

static (local,outside) tcp 212.44.229.3 www 192.168.229.3 8080 netmask 255.255.255.255 0 0

static (local,outside) tcp 212.44.229.2 smtp lenovo smtp netmask 255.255.255.255 0 0

I that all rigth or there is a way for not using ip alias?

Thank you all.