09-11-2008 09:47 AM - edited 03-11-2019 06:43 AM
I do not have a Pix firewall to test at the moment so I am going
to ask experts in forum if this is possible:
I have a host on the "inside" interface with an ip address of 192.168.3.10
Pix firewall "inside" ip address is 192.168.3.1/28
Pix firewall "outside" ip address 1.1.1.1/28
Pix firewall default gateway is 1.1.1.14
I have the following in the configuration:
static (inside,outside) 1.1.1.10 192.168.3.10 netmask 255.255.255.255 dns
access-list External permit ip any any log
access-list Internal permit ip any any log
access-group External in interface outside
access-group Internal in interface inside
Now here are my requirements:
1- Internet users will get to this host via 1.1.1.10,
2- telnet, ssh and smtp traffics originate from host 192.168.3.10 going to
64.100.1.0/24 and 192.95.25.0/24 will be natted to 1.1.1.10
2- telnet, ssh and smtp traffics originate from host 192.168.3.10 going
to ANY will be NATted to the Pix firewall's external interface (1.1.1.1),
3- http and https traffics originate from host 192.168.3.10 going to
72.1.100.0/24 will be NATted to 1.1.1.10,
4- http and https traffics originate from host 192.168.3.10 going to ANY
will be NAT'ed to firewall's external interface (1.1.1.1).
Is this possible? If so, how?
Thanks.
09-11-2008 10:31 AM
Thats a tough one. Hope I got this right.
access-list 100 permit ip host 192.168.3.10 any eq 23
access-list 100 permit ip host 192.168.3.10 any eq 22
access-list 100 permit ip host 192.168.3.10 any eq 25
access-list 100 permit ip host 192.168.3.10 any eq 80
access-list 100 permit ip host 192.168.3.10 any eq 443
access-list 101 permit ip host 192.168.3.10 any
static (inside,outside) 1.1.1.1 access-list 100
static (inside,outside) 1.1.1.10 access-list 101
09-11-2008 01:04 PM
Here is my revise requirements:
Now here are my requirements:
1- Internet users will get to this host via 1.1.1.10,
2- telnet, ssh and smtp traffics originate from host 192.168.3.10 going to
64.100.1.0/24 and 192.95.25.0/24 will be natted to 1.1.1.10
2- telnet, ssh and smtp traffics originate from host 192.168.3.10 going
to ANY will be NATted to the Pix firewall's external interface (1.1.1.1),
3- http and https traffics originate from host 192.168.3.10 going to
72.1.100.0/24 will be NATted to 1.1.1.10,
4- http and https traffics originate from host 192.168.3.10 going to ANY
will be NAT'ed to firewall's external interface (1.1.1.1).
5- Internet users from source 6.7.8.0/24 and
4.3.2.0/24 accessing http and https on IP address 1.1.1.1 will be re-directed to host
192.168.3.10 on http and https
I can do all this with Checkpoint firewall
in about 5 minutes and it works on the first
attempt.
I am struggling to get this to work on Cisco
firewall.
09-12-2008 03:14 AM
Any takers on this one?
09-13-2008 02:20 AM
hi david
u can solve it by useing policy NAT, Policy NAT/PAT translates the IP address of the packets passing through the security appliance only if those packets match the configured criterion or policy. The policy is defined by using ACLs. The ACL matches traffic against the source and the destination IP addresses.
so for ur case
u need the following lines:
access-list 100 permite tcp host 192.168.3.10 72.1.100.0 255.255.255.0 eq 80
access-list 100 permite tcp host 192.168.3.10 72.1.100.0 255.255.255.0 eq 443
access-list 101 permite tcp host 192.168.3.10 any eq telnet
access-list 101 permite tcp host 192.168.3.10 any eq 22
access-list 101 permite tcp host 192.168.3.10 any eq smtp
access-list 101 permite tcp host 192.168.3.10 any eq 80
access-list 101 permite tcp host 192.168.3.10 any eq 443
access-list 102 permite tcp host 192.168.3.10 6.7.8.0 255.255.255.0 eq 80
access-list 102 permite tcp host 192.168.3.10 6.7.8.0 255.255.255.0 eq 443
access-list 102 permite tcp host 192.168.3.10 4.3.2.0 255.255.255.0 eq 80
access-list 102 permite tcp host 192.168.3.10 4.3.2.0 255.255.255.0 eq 443
nat (inside) 2 access-list 101
globlab (outside) 2 interface
static (inside, outside) 1.1.1.10 access-list 101
satatic (inside, outside) 1.1.1.1 access-list 102
static (inside, outside) 1.1.1.10 192.168.3.10 netmask 255.255.255.255
good luck
if helpful Rate
09-13-2008 03:50 AM
Hi Marwanshawi,
Thank you and others for the suggestion. However, I have doubts about these
following lines:
static (inside, outside) 1.1.1.10 access-list 101
satatic (inside, outside) 1.1.1.1 access-list 102
static (inside, outside) 1.1.1.10 192.168.3.10 netmask 255.255.255.255
can you actually enter these 3 lines into the Pix configuration?
09-13-2008 04:06 AM
what software version ?
09-13-2008 04:08 AM
an administrator allows the real source IP address (192.168.10.190) to be changed to 209.165.200.227 only if traffic is destined for 209.165.201.10. The same static entry will also change the destination address from 209.165.200.227 to 192.168.10.190 if traffic is sourced from host 209.165.201.10.
Example 5-40. Configuration of Static Policy NAT
Chicago(config)# access-list static_NAT extended permit ip host 192.168.10.190 host
209.165.201.10
Chicago(config)# static (inside,outside) 209.165.200.227 access-list static_NAT
source is cisco press, Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance, 2005
if ur pix 7.x this concept applys
hope this helpful
09-13-2008 05:19 AM
there are two more important things
first u need to make the permit ACL for all in bound traffic going to 1.1.1.1 or 1.1.1.10
then after finishing the nat and ACLs config reload ur firewall to let the policy-NAT takes efficts
good luck :)
09-13-2008 01:21 PM
Warwan,
Could you explain the following. The poster asked the following.
5- Internet users from source 6.7.8.0/24 and
4.3.2.0/24 accessing http and https on IP address 1.1.1.1 will be re-directed to host
192.168.3.10 on http and https
Notice he says traffic is originating from 6.7.8.0/24 and 4.3.2.0 to 1.1.1.1. Therefore I don't see how this would work.
access-list 102 permite tcp host 192.168.3.10 6.7.8.0 255.255.255.0 eq 80
access-list 102 permite tcp host 192.168.3.10 6.7.8.0 255.255.255.0 eq 443
access-list 102 permite tcp host 192.168.3.10 4.3.2.0 255.255.255.0 eq 80
access-list 102 permite tcp host 192.168.3.10 4.3.2.0 255.255.255.0 eq 443
satatic (inside, outside) 1.1.1.1 access-list 102
09-13-2008 05:57 PM
hi Adam
good question if u look at the paragraph i have posted above from cisco press which as the following (which is an example from, Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance, 2005)
an administrator has defined a policy to translate the source IP address to 209.165.200.226 if the packets originate 192.168.10.10 and are destined for 209.165.201.1. Similarly, if the packets are sourced from 192.168.10.10 and destined for 209.165.201.2, the security appliance will change the source IP address to 209.165.200.227
thus, the ACL will represent two way path in this case if we made the ACL like access-list 102 thats mean it will include hhtp/https traffic from 192.168.10.3 to 6.7.8.0/24, 4.3.2.0/24 and vice versa :)
and this is the bineffits of ACL with NATing
thank you
if helpful Rate
09-14-2008 03:26 AM
Marwanshawi,
Basically, you're speculating this. Have you
tried my requirements in the lab and verified
that it works?
Thank you.
09-14-2008 03:32 AM
no i havnt but the fact is like this mate
u can try it
otherwise if u have another way will be great to know
and if u think about it it is very reasonable method because in general ACL with nating on ASA,PIX and FWSM works TWO WAY !!!
thank you
09-14-2008 05:07 AM
Hi Marwan,
The reason I asked is because the following configuration looks very suspicious:
static (inside, outside) 1.1.1.10 access-list 101
satatic (inside, outside) 1.1.1.1 access-list 102
static (inside, outside) 1.1.1.10 192.168.3.10 netmask 255.255.255.255
I think you will get errors with this configuration.
I would like to try it out if I have a Pix handy but I do not. I can't try this on the
Production Pix either.
09-14-2008 05:14 AM
ok i think about this u wmay get error
static (inside, outside) 1.1.1.10 192.168.3.10 netmask 255.255.255.255
if u get try to do this work around
as long as u want any traffic coming to 1.1.1.10 go to 192.168.3.10
creat an ACL lets say ACL 103
deny all traffic permit in ACL 101 and 102 then permit any
and make it like
static (inside, outside) 1.1.1.10 access-list 103
this way all other traffic not included on both ACLs going to 1.1.1.10 will be translated to 192.168.3.10 which is ur required point in the internet traffic going to that address
good luck
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide