topic Re: question about NAT on Firewall in Network Security

question about NAT on Firewall

cisco24x7 — Mon, 11 Mar 2019 13:43:20 GMT

I do not have a Pix firewall to test at the moment so I am going

to ask experts in forum if this is possible:

I have a host on the "inside" interface with an ip address of 192.168.3.10

Pix firewall "inside" ip address is 192.168.3.1/28

Pix firewall "outside" ip address 1.1.1.1/28

Pix firewall default gateway is 1.1.1.14

I have the following in the configuration:

static (inside,outside) 1.1.1.10 192.168.3.10 netmask 255.255.255.255 dns

access-list External permit ip any any log

access-list Internal permit ip any any log

access-group External in interface outside

access-group Internal in interface inside

Now here are my requirements:

1- Internet users will get to this host via 1.1.1.10,

2- telnet, ssh and smtp traffics originate from host 192.168.3.10 going to

64.100.1.0/24 and 192.95.25.0/24 will be natted to 1.1.1.10

2- telnet, ssh and smtp traffics originate from host 192.168.3.10 going

to ANY will be NATted to the Pix firewall's external interface (1.1.1.1),

3- http and https traffics originate from host 192.168.3.10 going to

72.1.100.0/24 will be NATted to 1.1.1.10,

4- http and https traffics originate from host 192.168.3.10 going to ANY

will be NAT'ed to firewall's external interface (1.1.1.1).

Is this possible? If so, how?

Thanks.

Re: question about NAT on Firewall

acomiskey — Thu, 11 Sep 2008 17:31:19 GMT

Thats a tough one. Hope I got this right.

access-list 100 permit ip host 192.168.3.10 any eq 23

access-list 100 permit ip host 192.168.3.10 any eq 22

access-list 100 permit ip host 192.168.3.10 any eq 25

access-list 100 permit ip host 192.168.3.10 any eq 80

access-list 100 permit ip host 192.168.3.10 any eq 443

access-list 101 permit ip host 192.168.3.10 any

static (inside,outside) 1.1.1.1 access-list 100

static (inside,outside) 1.1.1.10 access-list 101

Re: question about NAT on Firewall

cisco24x7 — Thu, 11 Sep 2008 20:04:58 GMT

Here is my revise requirements:

Now here are my requirements:

1- Internet users will get to this host via 1.1.1.10,

2- telnet, ssh and smtp traffics originate from host 192.168.3.10 going to

64.100.1.0/24 and 192.95.25.0/24 will be natted to 1.1.1.10

2- telnet, ssh and smtp traffics originate from host 192.168.3.10 going

to ANY will be NATted to the Pix firewall's external interface (1.1.1.1),

3- http and https traffics originate from host 192.168.3.10 going to

72.1.100.0/24 will be NATted to 1.1.1.10,

4- http and https traffics originate from host 192.168.3.10 going to ANY

will be NAT'ed to firewall's external interface (1.1.1.1).

5- Internet users from source 6.7.8.0/24 and

4.3.2.0/24 accessing http and https on IP address 1.1.1.1 will be re-directed to host

192.168.3.10 on http and https

I can do all this with Checkpoint firewall

in about 5 minutes and it works on the first

attempt.

I am struggling to get this to work on Cisco

firewall.

Re: question about NAT on Firewall

cisco24x7 — Fri, 12 Sep 2008 10:14:23 GMT

Any takers on this one?

Re: question about NAT on Firewall

Marwan ALshawi — Sat, 13 Sep 2008 09:20:44 GMT

hi david

u can solve it by useing policy NAT, Policy NAT/PAT translates the IP address of the packets passing through the security appliance only if those packets match the configured criterion or policy. The policy is defined by using ACLs. The ACL matches traffic against the source and the destination IP addresses.

so for ur case

u need the following lines:

access-list 100 permite tcp host 192.168.3.10 72.1.100.0 255.255.255.0 eq 80

access-list 100 permite tcp host 192.168.3.10 72.1.100.0 255.255.255.0 eq 443

access-list 101 permite tcp host 192.168.3.10 any eq telnet

access-list 101 permite tcp host 192.168.3.10 any eq 22

access-list 101 permite tcp host 192.168.3.10 any eq smtp

access-list 101 permite tcp host 192.168.3.10 any eq 80

access-list 101 permite tcp host 192.168.3.10 any eq 443

access-list 102 permite tcp host 192.168.3.10 6.7.8.0 255.255.255.0 eq 80

access-list 102 permite tcp host 192.168.3.10 6.7.8.0 255.255.255.0 eq 443

access-list 102 permite tcp host 192.168.3.10 4.3.2.0 255.255.255.0 eq 80

access-list 102 permite tcp host 192.168.3.10 4.3.2.0 255.255.255.0 eq 443

nat (inside) 2 access-list 101

globlab (outside) 2 interface

static (inside, outside) 1.1.1.10 access-list 101

satatic (inside, outside) 1.1.1.1 access-list 102

static (inside, outside) 1.1.1.10 192.168.3.10 netmask 255.255.255.255

good luck

if helpful Rate

Re: question about NAT on Firewall

cisco24x7 — Sat, 13 Sep 2008 10:50:21 GMT

Hi Marwanshawi,

Thank you and others for the suggestion. However, I have doubts about these

following lines:

static (inside, outside) 1.1.1.10 access-list 101

satatic (inside, outside) 1.1.1.1 access-list 102

static (inside, outside) 1.1.1.10 192.168.3.10 netmask 255.255.255.255

can you actually enter these 3 lines into the Pix configuration?

Re: question about NAT on Firewall

Marwan ALshawi — Sat, 13 Sep 2008 11:06:12 GMT

what software version ?

Re: question about NAT on Firewall

Marwan ALshawi — Sat, 13 Sep 2008 11:08:58 GMT

an administrator allows the real source IP address (192.168.10.190) to be changed to 209.165.200.227 only if traffic is destined for 209.165.201.10. The same static entry will also change the destination address from 209.165.200.227 to 192.168.10.190 if traffic is sourced from host 209.165.201.10.

Example 5-40. Configuration of Static Policy NAT

Chicago(config)# access-list static_NAT extended permit ip host 192.168.10.190 host

209.165.201.10

Chicago(config)# static (inside,outside) 209.165.200.227 access-list static_NAT

source is cisco press, Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance, 2005

if ur pix 7.x this concept applys

hope this helpful

Re: question about NAT on Firewall

Marwan ALshawi — Sat, 13 Sep 2008 12:19:48 GMT

there are two more important things

first u need to make the permit ACL for all in bound traffic going to 1.1.1.1 or 1.1.1.10

then after finishing the nat and ACLs config reload ur firewall to let the policy-NAT takes efficts

good luck 🙂

Re: question about NAT on Firewall

acomiskey — Sat, 13 Sep 2008 20:21:31 GMT

Warwan,

Could you explain the following. The poster asked the following.

5- Internet users from source 6.7.8.0/24 and

4.3.2.0/24 accessing http and https on IP address 1.1.1.1 will be re-directed to host

192.168.3.10 on http and https

Notice he says traffic is originating from 6.7.8.0/24 and 4.3.2.0 to 1.1.1.1. Therefore I don't see how this would work.

access-list 102 permite tcp host 192.168.3.10 6.7.8.0 255.255.255.0 eq 80

access-list 102 permite tcp host 192.168.3.10 6.7.8.0 255.255.255.0 eq 443

access-list 102 permite tcp host 192.168.3.10 4.3.2.0 255.255.255.0 eq 80

access-list 102 permite tcp host 192.168.3.10 4.3.2.0 255.255.255.0 eq 443

satatic (inside, outside) 1.1.1.1 access-list 102

Re: question about NAT on Firewall

Marwan ALshawi — Sun, 14 Sep 2008 00:57:59 GMT

hi Adam

good question if u look at the paragraph i have posted above from cisco press which as the following (which is an example from, Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance, 2005)

an administrator has defined a policy to translate the source IP address to 209.165.200.226 if the packets originate 192.168.10.10 and are destined for 209.165.201.1. Similarly, if the packets are sourced from 192.168.10.10 and destined for 209.165.201.2, the security appliance will change the source IP address to 209.165.200.227

thus, the ACL will represent two way path in this case if we made the ACL like access-list 102 thats mean it will include hhtp/https traffic from 192.168.10.3 to 6.7.8.0/24, 4.3.2.0/24 and vice versa 🙂

and this is the bineffits of ACL with NATing

thank you

if helpful Rate

Re: question about NAT on Firewall

cisco24x7 — Sun, 14 Sep 2008 10:26:45 GMT

Marwanshawi,

Basically, you're speculating this. Have you

tried my requirements in the lab and verified

that it works?

Thank you.

Re: question about NAT on Firewall

Marwan ALshawi — Sun, 14 Sep 2008 10:32:16 GMT

no i havnt but the fact is like this mate

u can try it

otherwise if u have another way will be great to know

and if u think about it it is very reasonable method because in general ACL with nating on ASA,PIX and FWSM works TWO WAY !!!

thank you

Re: question about NAT on Firewall

cisco24x7 — Sun, 14 Sep 2008 12:07:34 GMT

Hi Marwan,

The reason I asked is because the following configuration looks very suspicious:

static (inside, outside) 1.1.1.10 access-list 101

satatic (inside, outside) 1.1.1.1 access-list 102

static (inside, outside) 1.1.1.10 192.168.3.10 netmask 255.255.255.255

I think you will get errors with this configuration.

I would like to try it out if I have a Pix handy but I do not. I can't try this on the

Production Pix either.

Re: question about NAT on Firewall

Marwan ALshawi — Sun, 14 Sep 2008 12:14:22 GMT

ok i think about this u wmay get error

static (inside, outside) 1.1.1.10 192.168.3.10 netmask 255.255.255.255

if u get try to do this work around

as long as u want any traffic coming to 1.1.1.10 go to 192.168.3.10

creat an ACL lets say ACL 103

deny all traffic permit in ACL 101 and 102 then permit any

and make it like

static (inside, outside) 1.1.1.10 access-list 103

this way all other traffic not included on both ACLs going to 1.1.1.10 will be translated to 192.168.3.10 which is ur required point in the internet traffic going to that address

good luck

Re: question about NAT on Firewall

cisco24x7 — Sun, 14 Sep 2008 17:28:05 GMT

"as long as u want any traffic coming to 1.1.1.10 go to 192.168.3.10

creat an ACL lets say ACL 103

deny all traffic permit in ACL 101 and 102 then permit any

and make it like

static (inside, outside) 1.1.1.10 access-list 103

I think you're wrong with this one. I

remembered from my previous experiences that

you can NOT have deny statement in the policy NAT ACL. If my memory serves me

correctly, it will not work.

Re: question about NAT on Firewall

Marwan ALshawi — Mon, 15 Sep 2008 00:51:41 GMT

as u like

but i think u need to try it first

no other way to do

only nat with ACLs