NAT one-to-one PIX515e

Federico Olivieri · ‎07-12-2015

Hi Guys,

I'm new in Firewall environment and I'm trying to make me an experience.

Basically, I have a cisco 887 router where I have connected a PIX 515e firewall. Behind that I have a server. My cisco router does NAT 192.168.0.0/24 and my PIX's eth0 interface (outside) has 192.168.0.3. On eht1 PIX interface (inside) I have 172.16.0.1 where I have a server with IP 172.16.0.3. Below the diagram:

SERVER --------------------PIX-------------------CISCO

172.16.0.3 ----172.16.0.1/192.168.0.3----192.168.0.1

Basically, I would that ALL requests from devices in 192.168.0.0/24 subnet to 192.168.0.3 (eth0 PIX interface) are redirect to my server 172.16.0.3 (NATone-to-one)

I thought that the conf was similar to cisco router but it isn't

Any suggestion?

Thanks!

Puneesh Chhabra · ‎07-12-2015

You can do that, however it is not a good practice.

It is suggested to do Port address translation on the interface of the firewall.

For eg:

Static PAT Example:

In order to redirect Telnet traffic from the outside interface (10.1.2.14) to the inside host at 10.1.1.15, enter this command:

hostname(config)#static (inside, outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask 255.255.255.255

Similarly, you can use any port instead of telnet in the above example.

The static PAT command is the same as static NAT, except it allows for the specification of the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP) and the port for the real and mapped addresses.

The static PAT feature can identify the same mapped address across many different static statements, so long as the port is different for each statement.

Regards,

Puneesh

If you find the answer helpful, please mark it as correct so others can benefit from the discussion.

Federico Olivieri · ‎07-13-2015

Hi Puneesh.

Thank you very much for your reply.

Do you know what it changes if instead to write (inside, outside) I write (outside,inside)?

Why the first description is "inside" and it refers to the outside IP?

I don't know if I gave been clear

Thank You

Federico

Puneesh Chhabra · ‎07-13-2015

Here's the syntax:

static (real_interface,mapped_interface) {tcp | udp} {mapped_ip | interface} mapped_port access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]

So, if you do static (outside,inside), you will have real IP and than mapped IP

Eg:

To NAT the outside host to an inside address::

static (outside,inside) 10.10.10.10 1.1.1.1

To NAT the inside host to outside IP:

static (inside,outside) 1.1.1.1 10.10.10.10

And most importantly, static NAT is bidirectional

Regards,

Puneesh

Federico Olivieri · ‎07-13-2015

Hi Puneesh.

Unfortunatelly, if I configure a NAT for single service (interface ssh ipaddr ssh) I' m not able to get access to the default gateway 192.168.0.1. It seems that PIX doesn't perform NAT from 172.16.0.3 (eth1) to 192.168.0.3 (eth0) . It works only with NAT one-to-one. Most probably there is something wrong with my configuration and double NAT.

Thank you for your time,

Federico