topic Pix 506E 6.3(3)need to pass networks without nat translation. in Network Security

Pix 506E 6.3(3)need to pass networks without nat translation.

radutily1 — Mon, 11 Mar 2019 13:34:29 GMT

We use 10.x.x.x network internally. Pix stands between two networks - 10.34.12.0/24 - outside one with security level 0 and 10.34.3.0/24 - inside one with security level 100. I need all ip's from 10.34.3.0 and 10.34.12.0 networks to pass trough firewall without any nat translation. Also network 10.34.12.0 should get access to another 10.x.x.x subnets within corporate network without any nat translations. What is the best way to achieve this?

Re: Pix 506E 6.3(3)need to pass networks without nat translation

Syed Iftekhar Ahmed — Fri, 22 Aug 2008 07:18:54 GMT

Try the following

access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.34.3.0 255.255.255.0

access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list inside_access_out permit ip 10.34.3.0 255.255.255.0 10.34.12.0 255.255.255.0

nat (outside) 0 access-list outside_access_in

nat (inside) 0 access-list inside_access_out

Thanks

Re: Pix 506E 6.3(3)need to pass networks without nat translation

andrew.prince — Fri, 22 Aug 2008 07:21:39 GMT

Use a policy based no-nat translation config.

something like:-

access-list no-nat-internal permit ip 10.34.3.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list no-nat-internal permit ip 10.34.12.0 255.255.255.0 10.0.0.0 255.0.0.0

nat (inside) 0 access-list no-nat-internal

HTH>

Re: Pix 506E 6.3(3)need to pass networks without nat translation

radutily1 — Fri, 22 Aug 2008 07:26:39 GMT

When I apply nat (outside) 0 access-list outside_access_in

I receive the following error message:

WARNING: Specified interface is lowest security interface. This statement

WARNING: is not applicable to any traffic.

And I still not able to get access to hosts on 10.34.12.x net. I think as outside is a lower security level interface only static command can help. What do you think?

Thanks

Re: Pix 506E 6.3(3)need to pass networks without nat translation

andrew.prince — Fri, 22 Aug 2008 07:37:47 GMT

can you post your current config, I think there is some confusing on which side the network's are and the direction of the NAT required?

Re: Pix 506E 6.3(3)need to pass networks without nat translation

Syed Iftekhar Ahmed — Fri, 22 Aug 2008 07:48:48 GMT

Try using

nat (outside) 0 access-list outside_access_in outside

instead of

nat (outside) 0 access-list outside_access_in

Thanks

Re: Pix 506E 6.3(3)need to pass networks without nat translation

radutily1 — Fri, 22 Aug 2008 09:27:13 GMT

Hi guys,

I've implemented such commands on this firewall:

access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.34.3.0 255.255.255.0

access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list inside_access_out permit ip 10.34.3.0 255.255.255.0 10.34.12.0 255.255.255.0

access-list inside_access_out permit ip 10.0.0.0 255.0.0.0 10.34.12.0 255.255.255.0

nat (outside) 0 access-list outside_access_in outside

nat (inside) 0 access-list inside_access_out

But I'm still not able to get access to any hosts from inside to outside. Please find configuration details in attachment.

Re: Pix 506E 6.3(3)need to pass networks without nat translation

andrew.prince — Fri, 22 Aug 2008 09:40:25 GMT

Your access-list and interface IP address make no sense, and are incorrect.

1) What IP subnets are on the inside?

2) What IP subnets are on the outside?

You also have a default route pointing to the inside- why? Are you sure you have inside & outside the correct way around?

Re: Pix 506E 6.3(3)need to pass networks without nat translation

radutily1 — Fri, 22 Aug 2008 09:54:31 GMT

Hi Andrew,

Inside subnet is 10.34.3.0/24

Outside subnet is 10.34.12.0/24

The default route on inside - it's simple a default route to another subnets in our network.

Re: Pix 506E 6.3(3)need to pass networks without nat translation

andrew.prince — Fri, 22 Aug 2008 10:13:32 GMT

OK - so what is the issue?? Are there any other subnets on the outside that you want to connect to?

Re: Pix 506E 6.3(3)need to pass networks without nat translation

andrew.prince — Fri, 22 Aug 2008 10:17:54 GMT

I think I understand now - after re-reading your initial post. Cut and past the config below and re-test:-

no nat (outside) 0 access-list outside_access_in outside

no nat (inside) 0 access-list inside_access_out

no access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.34.3.0 255.255.255.0

no access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.0.0.0 255.0.0.0

no access-list inside_access_out permit ip 10.34.3.0 255.255.255.0 10.34.12.0 255.255.255.0

no access-list inside_access_out permit ip 10.0.0.0 255.0.0.0 10.34.12.0 255.255.255.0

static (inside,outside) 10.34.3.0 10.34.3.0 netmask 255.255.255.0

static (outside,inside) 10.34.12.0 10.34.12.0 netmask 255.255.255.0

HTH>

Re: Pix 506E 6.3(3)need to pass networks without nat translation

radutily1 — Fri, 22 Aug 2008 10:32:07 GMT

Yeah right, this could help but in that case firewall will do proxy arp featute that way it can crash these two networks. It may be a good point to use these static with proxy arp disabled on interfaces, but what to do with other 10.x.x.x networks ?

Re: Pix 506E 6.3(3)need to pass networks without nat translation

andrew.prince — Fri, 22 Aug 2008 10:38:17 GMT

Well you just add static statements per network, or just change the previous suggestion to:-

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (outside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

That way all networks in the 10/8 are the same passing thru the firewall.

HTH>

Re: Pix 506E 6.3(3)need to pass networks without nat translation

radutily1 — Fri, 22 Aug 2008 11:31:49 GMT

Right this one should work with disabled proxy arp:

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (outside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

sysopt noproxyarp outside

sysopt noproxyarp inside

Guys from that site have already left - will check on Monday ond provide you results.

Re: Pix 506E 6.3(3)need to pass networks without nat translation

radutily1 — Tue, 26 Aug 2008 05:36:37 GMT

Hi Guys. These configuration rows with disabled proxy arp resolved my problem.

Re: Pix 506E 6.3(3)need to pass networks without nat translation

andrew.prince — Tue, 26 Aug 2008 08:16:12 GMT

np - glad to help