10-15-2006 08:43 PM - edited 02-21-2020 01:14 AM
Hi lads,
I'm after an explanation on how to use static and dynamic translation on a PIX. I've read couple of books and few cisco documents but all explain the syntax and its parameter. So now I'm more confused that any other time, as every book explains it in different manner
What I'm after is an overview about this topic. For example if we've the below:
static (outside,inside) 172.16.20.1 192.168.1.1 netmask 255.255.255.255
what does exactly mean?
Does it mean, translate the inside ip address 192.168.1.1 to 172.6.20.1 when it requires outside access? Or does it mean something else.
I understand that it's mandatory to use the translation (dynamic or static) from a low security level to high security level. Also I heard, that you've to either translate or NAT when you go between 2 security levels! Is it true and what are the real rules here?
I'm just after a good document which explains the concepts not the syntax.
If anyone out there came onto such doco, I'd highly appreciate it if they can share the link with me
Cheers,
Daniel
Solved! Go to Solution.
10-19-2006 09:07 PM
Hi Daniel,
Please read inline:
Requirements from high security level to low security level:
1- Mandatory: Static or Dynamic -preferred- translation
Yes (For code 6.3 you can use static, NAT 0, exemption NAT, NAT/global. Code 7.0 and later you can use ?nat-control? or no ?nat-control?)
2- Optional: Access list allowing the access
Yes (By default all traffic is allowed, if you want to filter access you would use an ACL but remember that ACLs do have an implicit deny at the end)
Requirements from low security level to high security level:
1- Mandatory: Static translation
Yes and No. Instead of using a static translation, you can use exemption NAT for example, it depends of your needs but I do recommend toget use to static translations.
2- Mandatory: Access list allowing the access
Yes
In the above 2 cases we write:
Static (high sec interface, low sec interface) "the ip address to be translate to" "the actual ip address"
i.e static (inside, outside) 172.1.1.1 10.120.1.1 netmask 255.255.255.255
to allow the outside world to access our internal web server using 172.1.1.1 which actually has a local ip address 10.120.1.1
Yes but remember the other 50% of the configuration which is the ACL. Something like:
Access-list allow permit tcp any host 172.1.1.1 eq 80
Access-group allow in interface outside
The first rule allows ?any? host from the public network to access ?172.1.1.1? over TCP on port 80
The second statement applies the rule to the outside interface
The above static command can also be interpreted as: if the box 10.120.1.1 is requiring access to the outside, then translate its ip address to 172.1.1.1, right?
Yes
Now if you need to translate an address (209.165.202.1) on the outside on its way inside (192.168.10.1), we write:
Static(outside, inside) 192.168.10.1 209.165.202.1 netmask 255.255.255.255
That?s called outside NAT and can get a little complicated. Unfortunately there?s no document that explains it properly so let me set one for you and send it later on
The only confusion I had, is with static (inside, outside). I always thought that it's only used in one direction -from inside to outside. i.e. only for outside coming into inside, but as I read it's used in the other direction too.
The static translation rule is bi-directional, so access is allowed from high to low and low to high
Let me know if you need more info.
Franco Zamora
10-15-2006 09:00 PM
Hi,
Let me try to explain how it works. The Firewall works with security levels. By default, inside has a security level of 100 and the outside has a security level of 0. Now if you want to pass traffic from a high security level to a low security level (inside to outside) you need a translation.
You can use nat and global, for example:
Nat (inside) 1 0 0
Global (outside) 1 interface
The above means that all the users within the inside interface will be translated in the outside with the IP address of the outside interface. The above translation allows traffic only from the inside to the outside.
If you want an user to initiate a connection from the outside (lower security level) you will need to use a static translation, check below:
Static (inside,outside) mapped_ip real_ip netmask 255.255.255.255
The above statement allows an outside user to initiate a connection to the ?mapped_ip? that will be translated to the ?real_ip?. Besides that, you will need to add an ACL to allow the traffic.
Your statement:
static (outside,inside) 172.16.20.1 192.168.1.1 netmask 255.255.255.255
Is wrong if you want to allow users to connect to 172.16.20.1 from the outside. It should be:
static (inside,outside) 172.16.20.1 192.168.1.1 netmask 255.255.255.255
There are another rules you can use like NAT 0 or NAT 0 with ACLs, self static translations, etc. I will recommend you to check the following document first:
Using nat, global, static, conduit, and access-list Commands and Port Redirection(Forwarding) on PIX
More info at:
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/tsd_products_support_series_home.html
Hope it helps
Franco Zamora
10-18-2006 06:17 PM
Hi Franco,
Thanks for your reply. As I rated it, it shaded light on many points I wondered about for a while. Your first link is just great.
The below is just a sum up -based on the above link, please correct me if I got it wrong:
Requirements from high security level to low security level:
1- Mandatory: Static or Dynamic -preferred- translation
2- Optional: Access list allowing the access
Requirements from low security level to high security level:
1- Mandatory: Static translation
2- Mandatory: Access list allowing the access
In the above 2 cases we write:
Static (high sec interface, low sec interface) "the ip address to be translate to" "the actual ip address"
i.e static (inside, outside) 172.1.1.1 10.120.1.1 netmask 255.255.255.255
to allow the outside world to access our internal web server using 172.1.1.1 which actually has a local ip address 10.120.1.1
The above static command can also be interpreted as: if the box 10.120.1.1 is requiring access to the outside, then translate its ip address to 172.1.1.1, right?
Now if you need to translate an address (209.165.202.1) on the outside on its way inside (192.168.10.1), we write:
Static(outside, inside) 192.168.10.1 209.165.202.1 netmask 255.255.255.255
The only confusion I had, is with static (inside, outside). I always thought that it's only used in one direction -from inside to outside. i.e. only for outside coming into inside, but as I read it's used in the other direction too.
Thanks Again Franco.
Daniel
10-19-2006 09:07 PM
Hi Daniel,
Please read inline:
Requirements from high security level to low security level:
1- Mandatory: Static or Dynamic -preferred- translation
Yes (For code 6.3 you can use static, NAT 0, exemption NAT, NAT/global. Code 7.0 and later you can use ?nat-control? or no ?nat-control?)
2- Optional: Access list allowing the access
Yes (By default all traffic is allowed, if you want to filter access you would use an ACL but remember that ACLs do have an implicit deny at the end)
Requirements from low security level to high security level:
1- Mandatory: Static translation
Yes and No. Instead of using a static translation, you can use exemption NAT for example, it depends of your needs but I do recommend toget use to static translations.
2- Mandatory: Access list allowing the access
Yes
In the above 2 cases we write:
Static (high sec interface, low sec interface) "the ip address to be translate to" "the actual ip address"
i.e static (inside, outside) 172.1.1.1 10.120.1.1 netmask 255.255.255.255
to allow the outside world to access our internal web server using 172.1.1.1 which actually has a local ip address 10.120.1.1
Yes but remember the other 50% of the configuration which is the ACL. Something like:
Access-list allow permit tcp any host 172.1.1.1 eq 80
Access-group allow in interface outside
The first rule allows ?any? host from the public network to access ?172.1.1.1? over TCP on port 80
The second statement applies the rule to the outside interface
The above static command can also be interpreted as: if the box 10.120.1.1 is requiring access to the outside, then translate its ip address to 172.1.1.1, right?
Yes
Now if you need to translate an address (209.165.202.1) on the outside on its way inside (192.168.10.1), we write:
Static(outside, inside) 192.168.10.1 209.165.202.1 netmask 255.255.255.255
That?s called outside NAT and can get a little complicated. Unfortunately there?s no document that explains it properly so let me set one for you and send it later on
The only confusion I had, is with static (inside, outside). I always thought that it's only used in one direction -from inside to outside. i.e. only for outside coming into inside, but as I read it's used in the other direction too.
The static translation rule is bi-directional, so access is allowed from high to low and low to high
Let me know if you need more info.
Franco Zamora
10-20-2006 05:23 PM
Franco;
A friend and I are wondering exactly aboout a similar scenario as the one described in:
" Static(outside, inside) 192.168.10.1 209.165.202.1 netmask 255.255.255.255
That?s called outside NAT and can get a little complicated. Unfortunately there?s no document that explains it properly so let me set one for you and send it later on
"
I would very much appreciate if you told me if I?m interpreting your answer correctly. This is the sample case-scenario:
Pix w/ 6.3(3) code
3 interfaces:
Inside security 100 (10.0.0.0 /24)
DMZ security 50 (172.17.0.0 /24)
Outside security 0 (192.168.0.0 /28)
web server located on DMZ w/IP address being 172.17.0.80. Statically translated so it?s known from "outside" as 200.200.200.80 and have no problem with that static statement.
The thing is:
We want people from INSIDE to be able to connect to web server through it?s PUBLIC IP address.
static (low, high) high low seems to be a contradiction in terms... ??
Is this achievable ?
Tnks in advance.
Diego
10-25-2006 07:19 PM
Hi Diego,
Sorry I didn?t answer before. What you want to configure is called Destination NAT.
You have the following:
Static (dmz,outside) 200.200.200.80 172.17.0.80 netmask 255.255.255.255
The above statement allows outside users to connect to the server using the IP address 200.200.200.80
Now if you want your inside users to connect to this server using the public IP as well you need to configure:
Static (dmz,inside) 200.200.200.80 172.17.0.80 netmask 255.255.255.255
And it can be read as follows:
There?s a connection that will be initiated in the inside interface to the IP 200?which is going to be translated in the dmz to the IP of 172.17?
Hope it helps.
Franco Zamora
10-25-2006 07:22 PM
Almost forgot, your inside users won?t be able to connect to the DMZ server using its private IP address (172.17.0.80)
Franco Zamora
10-26-2006 01:01 AM
Hi Franco, Still have a doubt about the "Destination NAT", once we do it clients in inside can't go to dmz using the private IPs, they need to use the publics right?
I'm trying to understand what is the difference of using "static" or "alias" for Destination NAT, as far I read the doco, the alias allow you to go the public ip and the private but I'm not sure, did you ever test this?
Thanks,
Emilio
10-18-2006 02:04 AM
Hi,
Let me try to explain you
Suppose you have a web server in your organization and you want outside users to access this web server which is in your inside network i.e. behind the firewall
The web server has IP addresses one private i.e. 192.168.1.1 and one public 172.16.20.1
Now you need to add static translation for outside users to access inside address i.e. 192.168.1.1 and they can reach 172.16.20.1
so Static (High security Interface, Low security Interface or inside, outside) 172.16.20.1 192.168.1.1 netmask 255.255.255.255 provides this translation
and you need to apply access list on outside interface to let the outside users access your web server
access-list 100 permit tcp any host 192.168.1.1 host eq www
access-group 100 in interface outside
Rate if it helps
10-24-2006 02:59 AM
I think this is not the problem.
You have a PIX (6.3) with 3 interfaces, outside, dmz and inside.
outside = 172.20.1.0/24
dmz = 192.168.1.0/24
inside = 10.1.1.0/24
Your webserver is 192.168.1.10, this server in internet resolve to www.server.com with the public NATed 200.1.1.10 (block of public IP routed to the pix)
you have the static and ACL to allow internet users to get the site:
static (dmz,outside) 200.1.1.10 172.20.1.10 netmask 255.255.255.255 0 0
access-list acl-outside permit tcp any host 200.1.1.1 eq 80
access-group in interface outside
Then the inside host when go to DMZ network don't are apply nat and nat when go to internet:
nat (inside) 0 access-list nonat
access-list nonat permit ip 10.1.1.0 255.255.255.0 172.20.1.0 255.255.255.0
global (outside) 1 200.1.1.80
nat (inside) 1 0.0.0.0 0.0.0.0
If you don't have an internal DNS server and you use a public one, when you a client (10.1.1.50) put www.server.com in the browser it resolve to 200.1.1.10 and this PIX nat and route the traffic to internet (which is wrong because he has that server in a DMZ).
This can be fixed if you use "dns" parameter in the static. Because the PIX will snoop for DNS response and change it when someone ask for www.server.com to the private IP, will work.
But if you have an internal DNS that have the entry www.server.com with the public you ask locally and the PIX can't snoop the DNS response, so again you can't connect.
This last thing "should" be fixed with "alias" command in the form,
alias (inside) 200.1.1.10 172.20.1.10
The PIX call this "dnat" or destination NAT, but you need to do it for all every server that you want to access.
Any thoughts?
Emilio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide