Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
3
Replies

Pix v7 - question about NAT exemption

tin.ngo
Level 1
Level 1

‎03-18-2006 03:41 AM - edited ‎02-21-2020 12:47 AM

1) I added the following commands to the PIX to allow PAT and everything works fine. i.e host from inside to outside get PATTEd to X.X.X.X

nat (inside) 1 access-list NAT_Internet

global (outside) 1 X.X.X.X netmask 255.255.255.255

access-list NAT_Internet extended permit ip host 10.0.0.70 any

access-list NAT_Internet extended permit ip 10.0.1.0 255.255.255.0 any

2) After that I can no longer connect to or receive traffic from inside to network 10.0.4.0 on interface MGT. Error from syslog:

%PIX-3-305006: portmap translation creation failed for tcp src inside:10.0.1.138/1070 dst Mgt:10.0.4.8/22

%PIX-3-305005: No translation group found for udp src Mgt:10.0.4.8/53557 dst inside:10.0.0.70/514

Interface Name Security

Ethernet0 outside 0

Ethernet1 inside 100

Ethernet2 Mgt 90

3) The problem was fixed after I added Nat exemption as follow:

nat (inside) 0 access-list EXEMPT_NAT

access-list EXEMPT_NAT extended permit ip host 10.0.0.70 10.0.4.0 255.255.255.0

access-list EXEMPT_NAT extended permit ip 10.0.1.0 255.255.255.0 10.0.4.0 255.255.255.0

I read about Nat Exemption but can someone clarify the following for me.

My first Nat/Global was meant to PAT only for traffic from inside to outside so why do I need to add Nat exemption for traffic to interface Mgt?

What would had happen if I was to use Nat Identity instead?

0 Helpful
3 Replies 3

igzhuhair
Level 1
Level 1

‎03-18-2006 06:16 AM

If you carefully look at your access-list NAT_Internet, you have allowed for all destinations. Hence traffic from inside to any gets PATed to the outside IP [because it will be matched in the nat (inside) 1 statement]

So you will have to specific about traffic that need not be PATed.

0 Helpful

tin.ngo
Level 1
Level 1
In response to igzhuhair

‎03-18-2006 05:43 PM

Referring to the command

"global (outside) 1 X.X.X.X netmask 255.255.255.255 "

Doesn't it mean Natting traffic destined for outside interface only? If not, what is the purpose of the "outside" keyword in the command?

0 Helpful

veruscorp
Level 1
Level 1

‎03-18-2006 06:23 PM

Essentially, the firewall must have some sort of translation to refer to , whether it is to NAT or not to NAT. In order for a lower security interface to communicate with a higher security interface, we need to tell the PIX not to nat packets between these interfaces - to leave all original source/destination information intact.

Your access list that denies NAT between inside and Mgt is one way to accomplish this. You could also perform this with the following static (you still need an access list to allow the traffic you desire from Mgt to inside).

static (inside,mgt) 10.0.1.0 10.0.1.0 255.255.255.0

The statement above maintains the original source address. It seems obscure, yes. It essentially tells the PIX to NAT, but to replace the original source IP with the same IP.

Specific to your question, your Global statement refers only to outside, and is not applied to Mgt. Inside to outside is different and independent from inside to Mgt.

Jamison

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card