cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
439
Views
0
Helpful
1
Replies

Pix 7.x PAT issue

itchampnz
Level 1
Level 1

Ok, so I have a pair of 515's running 7.04

Basically all users sit on Lan called Bpoint_users. These users as they hit their interface go into a VPN. The only traffic which does not go in the VPN is a file server and a printer.

The traffic going thru the VPN works fine, they get to the whole internet etc. The file server can be accessed unencrypted.

My issue is that to access the printer, I need to PAT them behind the egress interface. So you can see in the below cryptomap entry that the traffic to 10.137.20.254 is not encrypted, that all works. The traffic goes out the egress interface as clear text. My problem is that it does not get PAT. I have the nat command along with the global. I have done the exact same thing on version 6.3.4 on other pix's and it works, I cannot figure out why on this it will not PAT it, it just sends it out as original source.

I would appreciate any feedback. I did wonder if once it hit the first default NAT entry that is would not go onto the next, but it does in 6.3.4. I cannot add a deny to the NAT 0 acl as it does not allow that.

Thanks

access-list BPoint_users_nat0_inbound remark ===============================================================

access-list BPoint_users_nat0_inbound remark **** No NAT for outbound traffic ****

access-list BPoint_users_nat0_inbound extended permit ip 10.143.1.128 255.255.255.128 any

access-list BPoint_users_nat0_inbound remark ===============================================================

access-list ivdn_cryptomap_20 remark =======================================================================

access-list ivdn_cryptomap_20 remark **** Traffic to encrypt down tunnel ****

access-list ivdn_cryptomap_20 extended deny tcp 10.143.1.128 255.255.255.128 host 10.143.1.11 object-group TCP_DMZ_File_Server

access-list ivdn_cryptomap_20 extended deny udp 10.143.1.128 255.255.255.128 host 10.143.1.11 object-group UDP_DMZ_File_Server

access-list ivdn_cryptomap_20 extended deny tcp 10.143.1.128 255.255.255.128 host 10.137.20.254 object-group TCP_Dest_Printer_Ports

access-list ivdn_cryptomap_20 extended deny udp 10.143.1.128 255.255.255.128 host 10.137.20.254 object-group UDP_Printer_Ports

access-list ivdn_cryptomap_20 extended permit ip 10.143.1.128 255.255.255.128 any

access-list ivdn_cryptomap_20 remark =======================================================================

access-list BPusers_acl remark =============================================================================

access-list BPusers_acl remark **** ACL for BearingPoint Lan access ****

access-list BPusers_acl extended permit udp 10.143.1.128 255.255.255.128 host 10.143.1.11 object-group UDP_DMZ_File_Server

access-list BPusers_acl extended permit tcp 10.143.1.128 255.255.255.128 host 10.143.1.11 object-group TCP_DMZ_File_Server

access-list BPusers_acl extended deny ip 10.143.1.128 255.255.255.128 host 10.143.1.11

access-list BPusers_acl extended permit ip 10.143.1.128 255.255.255.128 any

access-list BPusers_acl remark =============================================================================

global (ivdn) 1 interface

nat (BPoint_users) 0 access-list BPoint_users_nat0_inbound outside

nat (BPoint_users) 1 access-list nat_aaptprinter

1 Reply 1

pradeepde
Level 5
Level 5

In order to maximize security when you implement Cisco PIX Security Appliance version 7.0, it is important to understand how packets pass between higher security interfaces and lower security interfaces when you use the nat-control, nat, global, static, access-list and access-group commands. This document explains the differences between these commands and how to configure port redirection and the outside Network Address Translation (NAT) features in PIX software version 7.0, with the use of the command line interface or the Adaptive Security Device Manager (ASDM).

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

Review Cisco Networking for a $25 gift card