Policy Nat

wasiimcisco · ‎10-06-2008

Hi,

I have pix firewall with 7.x version. I have advertised my web/mail servers.

I am doing source base nat, I am translating all Internet traffic that is accessing the web/email server into one source

172.28.29.1.

But i am having problem. IF i do the source nat servers are not able to access Internet, though they are able to access over

the Internet. If I remove the Source NAT, they are able to published as well as can browse the Internet. I dont wana allow

any Internet source to access my server. I want to have only translated source to enter my internal network.

Below is the configuration:

access-list reverse_nat extended permit ip any host x.x.x.x

nat (outside) 5 access-list reverse_nat outside

global (inside) 5 172.28.29.1 netmask 255.255.255.255

static (inside,outside) x.x.x.x 172.1.2.3 netmask 255.255.255.255

access-list outside_acl extended permit tcp any host x.x.x.x eq www

access-list outside_acl extended permit tcp any host x.x.x.x eq http

Please help me out how to achieve this and what i m missing.

dominic.caron · ‎10-06-2008

Let`s say server 172.1.2.3 wants to access the internet, packet goes out and hit the static translation. IP source is now x.x.x.x and destination is unchanged y.y.y.y . When responce gets back, source is y.y.y.y and destination is x.x.x.x. It hit your policy nat and your static nat. Source is now 178.28.29.1 and destination is x.x.x.x. Wont work that way...

wasiimcisco · ‎10-08-2008

Thanks for the excellent explaination.

Is there any solution or way out to achieve my goal. Both Server publishing with source nat and Internet Browsing.

dominic.caron · ‎10-08-2008

At first glance,you could do your reverse nat with a static statement specific to the tcp port 80 and 25. This is now your everyday config and you might have some problem.

Why are you trying to reverse nat incomming connection. What kind of attack are you trying to mitigate.