10-16-2007 11:24 AM - edited 03-11-2019 04:26 AM
Hi everyone,
I have just updated a PIX 525 from software version 6x to 8x.
I have a question on how PDM in version 6x automatically converted access-lists so they worked with outside NAT addresses ? but in version 8x (using ASDM) this is not the case. This is causing me a major headache!
So previously in version 6x:
I created a NAT rule in PDM to translate the internal IP to external:
Inside server IP - 192.168.1.1
Outside NAT IP - 206.45.18.189
Resulting in:
static (inside,outside) 206.45.18.189 192.168.1.1 netmask 255.255.255.255
I then created a new access rule in PDM to permit traffic from the outside to 192.168.1.1 on the inside for any host.
The resulting access-list visible in the config is:
access-list outside_access_in extended permit ip any host 206.45.18.189
Note how PDM has taken the inside address I specified and replaced it with the valid outside NAT address. This worked a treat!
Unfortunately in version 8 using with ASDM - if you permit access to an inside address from the outside ? even if a valid (inside,outside) NAT rule is in place ? you get this this in the config:
access-list outside_access_in extended permit ip any host 192.168.1.1
It seems something major has changed! I have also noticed version 6x created "reference" groups if you allowed access to an inside network "object-group":
For example ? your permit access to an inside group:
object-group network INSIDE-SERVERS
network-object 192.168.1.1
network-object 192.168.1.2
network-object 192.168.1.3
And PDM automatically creates a "reference" (_ref) group that uses the valid outside NAT addresses:
object-group network INSIDE-SERVERS_ref
network-object 206.45.18.189
network-object 206.45.18.190
network-object 206.45.18.191
The group ending in "_ref" is the one used in inbound access-lists.
Version 6 really did work its magic ? has this useful "feature" disappeared in version 8x?
Many thanks for your time,
Paul
10-17-2007 06:02 AM
Something isn't right here. The statement:
static (inside,outside) 206.45.18.189 192.168.1.1 netmask 255.255.255.255
is backwards. It should be:
static (inside,outside) 192.168.1.1 206.45.18.189 netmask 255.255.255.255
with an accompanying ACL:
access-list outside_access_in extended permit ip any host 192.168.1.1
I would have to say there is some mis-configuration that is creating these rules backwards.
The _ref thing is a PDM issue in itself.
10-17-2007 06:25 AM
noran01, are you sure about that? What you said it should be is not correct. I should be...
static (inside,outside) 206.45.18.189 192.168.1.1 netmask 255.255.255.255
access-list outside_access_in extended permit ip any host 206.45.18.189
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide