Solved: Re: Pix Translation overview

alk1000 · ‎10-15-2006

Hi lads,

I'm after an explanation on how to use static and dynamic translation on a PIX. I've read couple of books and few cisco documents but all explain the syntax and its parameter. So now I'm more confused that any other time, as every book explains it in different manner

What I'm after is an overview about this topic. For example if we've the below:

static (outside,inside) 172.16.20.1 192.168.1.1 netmask 255.255.255.255

what does exactly mean?

Does it mean, translate the inside ip address 192.168.1.1 to 172.6.20.1 when it requires outside access? Or does it mean something else.

I understand that it's mandatory to use the translation (dynamic or static) from a low security level to high security level. Also I heard, that you've to either translate or NAT when you go between 2 security levels! Is it true and what are the real rules here?

I'm just after a good document which explains the concepts not the syntax.

If anyone out there came onto such doco, I'd highly appreciate it if they can share the link with me

Cheers,

Daniel

fzamora · ‎10-19-2006

Hi Daniel,

Please read inline:

Requirements from high security level to low security level:

1- Mandatory: Static or Dynamic -preferred- translation

Yes (For code 6.3 you can use static, NAT 0, exemption NAT, NAT/global. Code 7.0 and later you can use ?nat-control? or no ?nat-control?)

2- Optional: Access list allowing the access

Yes (By default all traffic is allowed, if you want to filter access you would use an ACL but remember that ACLs do have an implicit deny at the end)

Requirements from low security level to high security level:

1- Mandatory: Static translation

Yes and No. Instead of using a static translation, you can use exemption NAT for example, it depends of your needs but I do recommend toget use to static translations.

2- Mandatory: Access list allowing the access

Yes

In the above 2 cases we write:

Static (high sec interface, low sec interface) "the ip address to be translate to" "the actual ip address"

i.e static (inside, outside) 172.1.1.1 10.120.1.1 netmask 255.255.255.255

to allow the outside world to access our internal web server using 172.1.1.1 which actually has a local ip address 10.120.1.1

Yes but remember the other 50% of the configuration which is the ACL. Something like:

Access-list allow permit tcp any host 172.1.1.1 eq 80

Access-group allow in interface outside

The first rule allows ?any? host from the public network to access ?172.1.1.1? over TCP on port 80

The second statement applies the rule to the outside interface

The above static command can also be interpreted as: if the box 10.120.1.1 is requiring access to the outside, then translate its ip address to 172.1.1.1, right?

Yes

Now if you need to translate an address (209.165.202.1) on the outside on its way inside (192.168.10.1), we write:

Static(outside, inside) 192.168.10.1 209.165.202.1 netmask 255.255.255.255

That?s called outside NAT and can get a little complicated. Unfortunately there?s no document that explains it properly so let me set one for you and send it later on

The only confusion I had, is with static (inside, outside). I always thought that it's only used in one direction -from inside to outside. i.e. only for outside coming into inside, but as I read it's used in the other direction too.

The static translation rule is bi-directional, so access is allowed from high to low and low to high

Let me know if you need more info.

Franco Zamora

View solution in original post

fzamora · ‎10-15-2006

Hi,

Let me try to explain how it works. The Firewall works with security levels. By default, inside has a security level of 100 and the outside has a security level of 0. Now if you want to pass traffic from a high security level to a low security level (inside to outside) you need a translation.

You can use nat and global, for example:

Nat (inside) 1 0 0

Global (outside) 1 interface

The above means that all the users within the inside interface will be translated in the outside with the IP address of the outside interface. The above translation allows traffic only from the inside to the outside.

If you want an user to initiate a connection from the outside (lower security level) you will need to use a static translation, check below:

Static (inside,outside) mapped_ip real_ip netmask 255.255.255.255

The above statement allows an outside user to initiate a connection to the ?mapped_ip? that will be translated to the ?real_ip?. Besides that, you will need to add an ACL to allow the traffic.

Your statement:

static (outside,inside) 172.16.20.1 192.168.1.1 netmask 255.255.255.255

Is wrong if you want to allow users to connect to 172.16.20.1 from the outside. It should be:

static (inside,outside) 172.16.20.1 192.168.1.1 netmask 255.255.255.255

There are another rules you can use like NAT 0 or NAT 0 with ACLs, self static translations, etc. I will recommend you to check the following document first:

Using nat, global, static, conduit, and access-list Commands and Port Redirection(Forwarding) on PIX

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

More info at:

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/tsd_products_support_series_home.html

Hope it helps

Franco Zamora

alk1000 · ‎10-18-2006

Hi Franco,

Thanks for your reply. As I rated it, it shaded light on many points I wondered about for a while. Your first link is just great.

The below is just a sum up -based on the above link, please correct me if I got it wrong:

Requirements from high security level to low security level:

1- Mandatory: Static or Dynamic -preferred- translation

2- Optional: Access list allowing the access

Requirements from low security level to high security level:

1- Mandatory: Static translation

2- Mandatory: Access list allowing the access

In the above 2 cases we write:

Static (high sec interface, low sec interface) "the ip address to be translate to" "the actual ip address"

i.e static (inside, outside) 172.1.1.1 10.120.1.1 netmask 255.255.255.255

to allow the outside world to access our internal web server using 172.1.1.1 which actually has a local ip address 10.120.1.1

The above static command can also be interpreted as: if the box 10.120.1.1 is requiring access to the outside, then translate its ip address to 172.1.1.1, right?

Now if you need to translate an address (209.165.202.1) on the outside on its way inside (192.168.10.1), we write:

Static(outside, inside) 192.168.10.1 209.165.202.1 netmask 255.255.255.255

The only confusion I had, is with static (inside, outside). I always thought that it's only used in one direction -from inside to outside. i.e. only for outside coming into inside, but as I read it's used in the other direction too.

Thanks Again Franco.

Daniel

fzamora · ‎10-19-2006

Hi Daniel,

Please read inline:

Requirements from high security level to low security level:

1- Mandatory: Static or Dynamic -preferred- translation

Yes (For code 6.3 you can use static, NAT 0, exemption NAT, NAT/global. Code 7.0 and later you can use ?nat-control? or no ?nat-control?)

2- Optional: Access list allowing the access

Yes (By default all traffic is allowed, if you want to filter access you would use an ACL but remember that ACLs do have an implicit deny at the end)

Requirements from low security level to high security level:

1- Mandatory: Static translation

Yes and No. Instead of using a static translation, you can use exemption NAT for example, it depends of your needs but I do recommend toget use to static translations.

2- Mandatory: Access list allowing the access

Yes

In the above 2 cases we write:

Static (high sec interface, low sec interface) "the ip address to be translate to" "the actual ip address"

i.e static (inside, outside) 172.1.1.1 10.120.1.1 netmask 255.255.255.255

to allow the outside world to access our internal web server using 172.1.1.1 which actually has a local ip address 10.120.1.1

Yes but remember the other 50% of the configuration which is the ACL. Something like:

Access-list allow permit tcp any host 172.1.1.1 eq 80

Access-group allow in interface outside

The first rule allows ?any? host from the public network to access ?172.1.1.1? over TCP on port 80

The second statement applies the rule to the outside interface

The above static command can also be interpreted as: if the box 10.120.1.1 is requiring access to the outside, then translate its ip address to 172.1.1.1, right?

Yes

Now if you need to translate an address (209.165.202.1) on the outside on its way inside (192.168.10.1), we write:

Static(outside, inside) 192.168.10.1 209.165.202.1 netmask 255.255.255.255

That?s called outside NAT and can get a little complicated. Unfortunately there?s no document that explains it properly so let me set one for you and send it later on

The only confusion I had, is with static (inside, outside). I always thought that it's only used in one direction -from inside to outside. i.e. only for outside coming into inside, but as I read it's used in the other direction too.

The static translation rule is bi-directional, so access is allowed from high to low and low to high

Let me know if you need more info.

Franco Zamora

dprincipi · ‎10-20-2006

Franco;

A friend and I are wondering exactly aboout a similar scenario as the one described in:

" Static(outside, inside) 192.168.10.1 209.165.202.1 netmask 255.255.255.255

That?s called outside NAT and can get a little complicated. Unfortunately there?s no document that explains it properly so let me set one for you and send it later on

"

I would very much appreciate if you told me if I?m interpreting your answer correctly. This is the sample case-scenario:

Pix w/ 6.3(3) code

3 interfaces:

Inside security 100 (10.0.0.0 /24)

DMZ security 50 (172.17.0.0 /24)

Outside security 0 (192.168.0.0 /28)

web server located on DMZ w/IP address being 172.17.0.80. Statically translated so it?s known from "outside" as 200.200.200.80 and have no problem with that static statement.

The thing is:

We want people from INSIDE to be able to connect to web server through it?s PUBLIC IP address.

static (low, high) high low seems to be a contradiction in terms... ??

Is this achievable ?

Tnks in advance.

Diego

fzamora · ‎10-25-2006

Hi Diego,

Sorry I didn?t answer before. What you want to configure is called Destination NAT.

You have the following:

Static (dmz,outside) 200.200.200.80 172.17.0.80 netmask 255.255.255.255

The above statement allows outside users to connect to the server using the IP address 200.200.200.80

Now if you want your inside users to connect to this server using the public IP as well you need to configure:

Static (dmz,inside) 200.200.200.80 172.17.0.80 netmask 255.255.255.255

And it can be read as follows:

There?s a connection that will be initiated in the inside interface to the IP 200?which is going to be translated in the dmz to the IP of 172.17?

Hope it helps.

Franco Zamora

fzamora · ‎10-25-2006

Almost forgot, your inside users won?t be able to connect to the DMZ server using its private IP address (172.17.0.80)

Franco Zamora

ecouto · ‎10-26-2006

Hi Franco, Still have a doubt about the "Destination NAT", once we do it clients in inside can't go to dmz using the private IPs, they need to use the publics right?

I'm trying to understand what is the difference of using "static" or "alias" for Destination NAT, as far I read the doco, the alias allow you to go the public ip and the private but I'm not sure, did you ever test this?

Thanks,

Emilio

dpopli · ‎10-18-2006

Hi,

Let me try to explain you

Suppose you have a web server in your organization and you want outside users to access this web server which is in your inside network i.e. behind the firewall

The web server has IP addresses one private i.e. 192.168.1.1 and one public 172.16.20.1

Now you need to add static translation for outside users to access inside address i.e. 192.168.1.1 and they can reach 172.16.20.1

so Static (High security Interface, Low security Interface or inside, outside) 172.16.20.1 192.168.1.1 netmask 255.255.255.255 provides this translation

and you need to apply access list on outside interface to let the outside users access your web server

access-list 100 permit tcp any host 192.168.1.1 host eq www

access-group 100 in interface outside

Rate if it helps

ecouto · ‎10-24-2006

I think this is not the problem.

You have a PIX (6.3) with 3 interfaces, outside, dmz and inside.

outside = 172.20.1.0/24

dmz = 192.168.1.0/24

inside = 10.1.1.0/24

Your webserver is 192.168.1.10, this server in internet resolve to www.server.com with the public NATed 200.1.1.10 (block of public IP routed to the pix)

you have the static and ACL to allow internet users to get the site:

static (dmz,outside) 200.1.1.10 172.20.1.10 netmask 255.255.255.255 0 0

access-list acl-outside permit tcp any host 200.1.1.1 eq 80

access-group in interface outside

Then the inside host when go to DMZ network don't are apply nat and nat when go to internet:

nat (inside) 0 access-list nonat

access-list nonat permit ip 10.1.1.0 255.255.255.0 172.20.1.0 255.255.255.0

global (outside) 1 200.1.1.80

nat (inside) 1 0.0.0.0 0.0.0.0

If you don't have an internal DNS server and you use a public one, when you a client (10.1.1.50) put www.server.com in the browser it resolve to 200.1.1.10 and this PIX nat and route the traffic to internet (which is wrong because he has that server in a DMZ).

This can be fixed if you use "dns" parameter in the static. Because the PIX will snoop for DNS response and change it when someone ask for www.server.com to the private IP, will work.

But if you have an internal DNS that have the entry www.server.com with the public you ask locally and the PIX can't snoop the DNS response, so again you can't connect.

This last thing "should" be fixed with "alias" command in the form,

alias (inside) 200.1.1.10 172.20.1.10

The PIX call this "dnat" or destination NAT, but you need to do it for all every server that you want to access.

Any thoughts?

Emilio