06-27-2007 01:16 PM - last edited on 03-25-2019 05:37 PM by ciscomoderator
Hi,
I'm trying to get my head around NAT etc
I am writing new code onto a new PIX. In the original PIX 6.3 I used access-lists and binded them to interface cards for all traffic-flow.
On the new PIX 7.2 I have Policy NAT on dynamic NAT traffic - under the impression its a better way of doing it and easier to admin ? However I have read I still need to bind a access-list to each the interface for them to work ?? So should I policy NAT dynamic NAT traffic and use access-lists on the interface for the static NAT info. Or should I use access-lists, binding them to all static and dynamcic NAT pools and have a blank access-list for the interfaces ??
Or should I just do the way I used to ??
Whats the difference - are some ways slower than others for processing ??
Thanks
Ed
Solved! Go to Solution.
07-01-2007 10:10 AM
Hi Ed
Policy NAT is usually used when you want change the source IP address but based on where it is going to eg.
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
access-list pnat permit ip host 192.168.5.1 host 217.22.67.81
nat (inside) 2 access-list pnat
global (outside) 2 194.67.1.77
The above says for all outbound traffic translate the source IP addresses to the outside interface ip address. So if host 192.168.5.1 sends traffic to any outside host tranlsate it to the outside ip of your pix
UNLESS
the source is 192.168.5.1 and the destination is 217.22.67.81 in which case translate 192.168.5.1 to 194.67.1.77.
A more commom occurence of policy NAT is when you wnat to do a NAT exemption for traffic going down a VPN tunnel.
Persoanlly i would always use the access-lists on the interfaces to restrict and allow traffic and use policy NAT purely for address translation.
HTH
Jon
07-01-2007 01:13 PM
The ports that clients open to source traffic from are typically called ephemeral ports which range from 1024 to 5000. When writing your Access list entried you should leave the source port out of the equation and only define the destination port.
06-28-2007 02:06 AM
Is it that policy NAT should only be used if you need to change the ip based on destination ?
You see the problem I'm having is - it seems more logical to me to have acl attached to the NAT groups to keep them together plus it must be faster to process as it doesnt have to go through all the other interface acls ??
Thanks
Ed
07-01-2007 09:21 AM
Hi,
I have configured this on my PIX 7.2 - however it doesn't work - in the end I had to add it to the access-list which was binded to my interface. Can someone explain why this is please ??
More Info:
I have configured:
access-list Corp extended permit tcp 10.10.10.0 255.255.255.0 any eq https
access-list Corp extended permit tcp 10.10.10.0 255.255.255.0 any eq www
access-list Corp extended permit tcp 10.10.10.0 255.255.255.0 any eq domain
nat-control
global (outside) 1 192.168.10.81-192.168.251.94 netmask 255.255.255.240
nat (inside) 1 access-list Corp
Thanks
Ed
07-01-2007 10:10 AM
Hi Ed
Policy NAT is usually used when you want change the source IP address but based on where it is going to eg.
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
access-list pnat permit ip host 192.168.5.1 host 217.22.67.81
nat (inside) 2 access-list pnat
global (outside) 2 194.67.1.77
The above says for all outbound traffic translate the source IP addresses to the outside interface ip address. So if host 192.168.5.1 sends traffic to any outside host tranlsate it to the outside ip of your pix
UNLESS
the source is 192.168.5.1 and the destination is 217.22.67.81 in which case translate 192.168.5.1 to 194.67.1.77.
A more commom occurence of policy NAT is when you wnat to do a NAT exemption for traffic going down a VPN tunnel.
Persoanlly i would always use the access-lists on the interfaces to restrict and allow traffic and use policy NAT purely for address translation.
HTH
Jon
07-01-2007 10:10 AM
Hi Ed
Policy NAT is usually used when you want change the source IP address but based on where it is going to eg.
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
access-list pnat permit ip host 192.168.5.1 host 217.22.67.81
nat (inside) 2 access-list pnat
global (outside) 2 194.67.1.77
The above says for all outbound traffic translate the source IP addresses to the outside interface ip address. So if host 192.168.5.1 sends traffic to any outside host tranlsate it to the outside ip of your pix
UNLESS
the source is 192.168.5.1 and the destination is 217.22.67.81 in which case translate 192.168.5.1 to 194.67.1.77.
A more commom occurence of policy NAT is when you wnat to do a NAT exemption for traffic going down a VPN tunnel.
Persoanlly i would always use the access-lists on the interfaces to restrict and allow traffic and use policy NAT purely for address translation.
HTH
Jon
07-01-2007 11:26 AM
Hi,
Thanks for this - your very helpful on these forums!!
So just to check I should use remoarks to seperate the access-list not policy nats. This is why I was mainly using them.
It's just as secure using acces-list bind to interfaces ??
One more questions I added lists such as
access-list Test extended permit tcp host 10.1.1.1 eq smtp any eq smtp
but this didn't work - I assume that all client traffic going out from a PC using dynamic ports above 1024 and its only recieve traffic which is static ??
Thanks
Ed
07-01-2007 11:35 AM
Ed
Thanks.
Not sure i follow what you mean about using remarks rather than policy NAT. Could you elaborate.
Your Test access-list, if 10.1.1.1 is a client talking smtp to a server then yes the source port from the client will be a random source port above 1024.
HTH
Jon
07-01-2007 01:06 PM
Hi,
Well I was trying to use the policay NAT to seperate all the ACL to make it easy to read IE Corporate ACL on one NAT and Office on another.
But I assume thats not what its for reading the post you added here. I got the wrong end of the stick...? I assume I just use remarks statements to seperate the ACL lines....
Is there a list that documents the client to server ports or is it okay to just say from any port to this port... security wise ???
Just trying to make thins as secure as possible... I'm a perfectionist - not one of my best traits ;)
Thanks Again
Ed
07-01-2007 01:13 PM
The ports that clients open to source traffic from are typically called ephemeral ports which range from 1024 to 5000. When writing your Access list entried you should leave the source port out of the equation and only define the destination port.
07-01-2007 02:30 PM
Ed
I understand now, thanks for the additional info. In my opinion yes you would be better off using remarks within your access to separate your different groups as using policy NAT for this if you are not trying to NAT these groups to different addresses might well confuse the next person who has to manage this device.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide