topic Re: Nat rule overlaps existing rule in Network Security

Nat rule overlaps existing rule

roussillon — Mon, 11 Mar 2019 14:02:14 GMT

Hi, it is the first time I use a PIX, and I am having problems with NAT.

I have a serveur with an Internal Ip address 192.168.230.13

at the outside and ip addres is use 10.5.5.3

So I did a translation rule to a static IP,from 10.5.5.3 on outside to inside serveur 192.168.230.13.

then I tried to add a translation rule tha would use the same destination:

translation rule static with port address translation from 10.5.5.4:8080 on outside to 192.168.230.13:8080 on inside.

The firewall tells me that the second rule overlaps the firstone. this causes no problems in other firewall.

How can I do this properly on a Pix?

Thanks

Re: Nat rule overlaps existing rule

kerek — Fri, 24 Oct 2008 10:29:48 GMT

Hi,

The solution is the policy nat where you can define exactly what traffic should be translated and how.

Take a look to this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml

Hope it helps, rate if does,

Thanks,

Krisztian

Re: Nat rule overlaps existing rule

roussillon — Mon, 27 Oct 2008 14:28:34 GMT

After reading the document I was recomended, I did the following configuration:

interface gb-ethernet1 vlan229 logical

nameif vlan229 local security95

ip address local 192.168.229.254 255.255.255.0

name 192.168.229.2 lenovo

access-list outside_access_in permit tcp any host 212.44.229.2 eq ssh

access-list outside_access_in permit tcp any host 212.44.229.2 eq www

access-list outside_access_in permit tcp any host 212.44.229.2 eq smtp

ip address local 192.168.229.254 255.255.255.0

pdm location 212.44.229.2 255.255.255.255 outside

pdm location 212.44.229.3 255.255.255.255 outside

pdm location 212.44.229.4 255.255.255.255 outside

pdm location lenovo 255.255.255.255 local

pdm location 192.168.229.0 255.255.255.255 local

global (outside) 2 interface

nat (inside) 2 0.0.0.0 0.0.0.0 0 0

nat (local) 2 192.168.229.0 255.255.255.0 0 0

static (outside,local) tcp lenovo ssh 212.44.229.2 ssh netmask 255.255.255.255 0 0

static (outside,local) tcp lenovo www 212.44.229.3 www netmask 255.255.255.255 0 0

static (outside,local) tcp lenovo smtp 212.44.229.4 smtp netmask 255.255.255.255 0 0

static (local,outside) 212.44.229.2 lenovo netmask 255.255.255.255 0 0

but only the ssh conexions over 212.44.229.2 are routed to 192.168.229.2

the rest does not work.

Any idea??

Re: Nat rule overlaps existing rule

Mo'ath Al Rawashdeh — Mon, 27 Oct 2008 15:44:11 GMT

Hi mate,

Can you please tell us exactly what your business requirements are so that i can help you?

Thanks,

Re: Nat rule overlaps existing rule

roussillon — Mon, 27 Oct 2008 15:49:39 GMT

Hi,

I think it is not complicated

Having used iptables and sofware firewall (like astaro) in the past , now I 'am tring to understand nat on a pix 6.3

I'm tring to redirect conexions to ports on externals ip addresses to a server with an internal ip I mean:

the connexion to 212.44.229.2:ssh most be redirected to 192.168.229.2:ssh ip

the connexion to 212.44.229.3:80 most be redirected to 192.168.229.2:80 ip

the connexion to 212.44.229.4:25 most be redirected to 192.168.229.2:25 ip

this is the config I am tring to set up but I am a little lost here.

thanks

Re: Nat rule overlaps existing rule

kerek — Tue, 28 Oct 2008 10:10:11 GMT

Hi,

The order of your static statement is not correct I guess so first remove all the static statements and after add these:

static (local,outside) tcp 212.44.229.2 ssh lenovo ssh

static (local,outside) tcp 212.44.229.3 http lenovo http

static (local,outside) tcp 212.44.229.4 25 lenovo 25

Hope it helps, rate if does

Krisztian