Solved: some simple global & nat question in pix

tiwang · ‎09-05-2011

hi out there

I have a question regarding policy nat - we are trying to use policy nat on a cisco Pix 515e with sw ver 7.0.1.
I have defined a global pool 2 which I expect would assign the ip 19.18.25.207 to outbound session where the packets of interest would be defined by the ACL external_nat

On the DMZ I have 2 hosts (well - 2 with MS NLB between with a vip of 172.21.245.100 and real ip's of 172.21.245.21 & 22) and their default gw points to dmz and the pixi has a def. gw on the outside.
My problem is that the global pool #2 isn't used and as far as I can see I get everything patted over the interface ip instead ??

pixi# sh runn global
global (outside) 1 interface
global (outside) 2 19.18.25.207
pixi# sh runn nat
nat (dmz) 2 access-list external_nat
nat (dmz) 1 0.0.0.0 0.0.0.0
pixi#
pixi# sh access-list external_nat
access-list external_nat; 3 elements
access-list external_nat line 1 extended permit ip object-group EXT_servers any
access-list external_nat line 1 extended permit ip host 172.21.245.21 any (hitcnt=0)
access-list external_nat line 1 extended permit ip host 172.21.245.22 any (hitcnt=0)
access-list external_nat line 1 extended permit ip host 172.21.245.100 any (hitcnt=0)
pixi#

I have also a static into the box in this form:

static (dmz,outside) 19.18.25.207 172.21.245.100 netmask 255.255.255.255

The config here is of course a bit reduced but this is in vitale elements for my problem - can some tell me what I did wrong in this setup?

how can I troubleshoot this - the output of show xlate don't tell me much about the usage og global pool #2

best regards /ti

varrao · ‎09-05-2011

Absolutely, thats wat you need and it woudl solve the issue for you sure. Do let me know if you need any more info

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎09-05-2011

Hi Tiwang,

The config is a bit conflicting, you are using the same public ip in the nat as well as static statement, which ofcourse won't work, reason being, static statement would always taken precedece over your global statement and the public ip woudl always be mapped to the real ip 172.21.245.100, so the global statement would never be used.

So I would request you to use a different ip for the static statement or another solution would be to use port forwarding for the static. Which means instead of using the complete IP , you are just using the specific port on the ip and the rest of the ports are being used for the global statement.

For eq, the server 172.21.245.100 needs to be accessed on port 80, then;

static (dmz,outside) tcp 19.18.25.207 80 172.21.245.100 80

This shoudl be the right way for it.

Hope this was useful.

Thanks,

Varun

Thanks,
Varun Rao

tiwang · ‎09-05-2011

Hi again

Thanks Varun - this was also what I expected but I couldn't find some notes on this conflict somewhere - so - if I either move the global to another global adresse or change the static to a specific port-number then would it work?

eg: if I change the static to to mapping only https & smtp in on that public adresse then would it be solved?

varrao · ‎09-05-2011

Absolutely, thats wat you need and it woudl solve the issue for you sure. Do let me know if you need any more info

Thanks,

Varun

Thanks,
Varun Rao

tiwang · ‎09-07-2011

Hi Varum

I implemented the changes yesterday evening but it didn't work as expected - can you guide me I how to trace that?

See - the config was changed for the statics in this way:

static (dmz,outside) tcp 19.18.25.207 smtp 172.21.245.100 smtp netmask 255.255.255.255

static (dmz,outside) tcp 19.18.25.207 www 172.21.245.100 www netmask 255.255.255.255

static (dmz,outside) tcp 19.18.25.207 https 172.21.245.100 https netmask 255.255.255.255

and the global & nat statements where unchanged:

nat (dmz) 2 access-list external_nat
nat (dmz) 1 0.0.0.0 0.0.0.0

mailgw# sh runn global

global (outside) 1 interface

global (outside) 2 19.18.25.207

mailgw# sh xlate | inc 207

PAT Global 19.18.25.207(25) Local 172.21.245.100(25)

PAT Global 19.18.25.207(80) Local 172.21.245.100(80)

PAT Global 19.18.25.207(443) Local 172.21.245.100(443)

mailgw#

and these are created from the statics would I expect - so the statics maps the traffic fine into the boxes

but - there are not xlates for my global pool 2 ? why not? If I look at xlates for the interface adresse it is all done there:

mailgw# sh xlate | inc 200

PAT Global 19.18.25.200(443) Local 172.21.245.22(443)

PAT Global 19.18.25.200(15848) Local 172.21.245.22(10336)

PAT Global 19.18.25.200(15838) Local 172.21.245.22(10086)

PAT Global 19.18.25.200(15837) Local 172.21.245.22(10085)

PAT Global 19.18.25.200(15850) Local 81.27.15.202(4159)

PAT Global 19.18.25.200(15849) Local 81.27.15.201(1741)

mailgw#

how can I ensure that the nat policy is used to map the session defined by ACL external_nat ?

best regards /ti

varrao · ‎09-07-2011

Hi Tiwang,

There might not be any issue, because the second global pool would only be utilized if all the ports on the first global pool is exhausted, so if you do not have enough traffic at all then always the first global pool woudl be utilized, hence you might be seeing this. To test you can remove:

global (outside) 1 interface

and just use:

global (outside) 1 19.18.25.207

and try accessing internet and then check the xlate.

Hope this was useful

Thanks,

Varun

Thanks,
Varun Rao

tiwang · ‎09-07-2011

ok - that is of course a simple way to circumwent the problem but can you tell me why the box compltely ignores the policy nat stement:

nat (dmz) 2 access-list external_nat

I expected that it would use my "externat_nat" list anyway - but is this only the case when the pool for #1 is exhasuted? If so how can I control that in general my internal ip-adresses are using the interface ip of 19.18.25.200 and those matching my policy nat is using 19.18.25.207?

best regards /ti

varrao · ‎09-07-2011

Hi Tiwang,

First of all you need to make sure that you need not include any overlapping networks in the two nat statements. To be more specific, use this:

access-list external_nat line 1 extended deny ip object-group EXT_servers any

access-list external_nat line 1 extended deny ip host 172.21.245.21 any

access-list external_nat line 1 extended deny ip host 172.21.245.22 any

access-list external_nat line 1 extended deny ip host 172.21.245.100 any

access-list external_nat line 1 extended permit ip any any

nat (inside) 1 access-list external_nat

global (outside) 1 interface

access-list external_nat2 line 1 extended permit ip object-group EXT_servers any

access-list external_nat2 line 1 extended permit ip host 172.21.245.21 any

access-list external_nat2 line 1 extended permit ip host 172.21.245.22 any

access-list external_nat2 line 1 extended permit ip host 172.21.245.100 any

nat (inside) 2 access-list external_nat2

global (outside) 2 19.18.25.207

and this should achieve what you are trying.

And also do remember to clear xlate after it, so that new connection follow the new rules.

Thanks,

Varun

Thanks,
Varun Rao

tiwang · ‎09-07-2011

hmm - the idea did sound perfect - but:

mailgw(config)# nat (dmz) 1 access-list NOT_EXT_servers

ERROR: Deny rules not supported in Policy Nat

can this be?

bes regards /ti

btw - just went trough the config once more and realized that nat-controle is disabled - how does this influence on my problem?

varrao · ‎09-07-2011

Hi Tiwang,

I jusnt checked it again and yes we cannot use deny in policy nat, so what I did was to play around with the nat orders. What I would suggest you is to add the nat statements in the following order:

nat (dmz) 1 172.21.245.21 255.255.255.255

nat (dmz) 1 172.21.245.22 255.255.255.255

nat (dmz) 2 0.0.0.0 0.0.0.0

global (outside) 1 19.xx.xx.xxx

global (outside) 2 interface

then do clear xlate and try again, I tested it at my end with the packet-tracer and it worked as expected.

Let me knwo the results for it. The 172.21.245.100 would always take the correct ip , since it is statically mapped to the ip addresss, so we don't need a nat for it. The nat search happens from top to bottom, so more specific should be on top.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

tiwang · ‎09-07-2011

hi again

ok - I'll try to change the config this evening - I think that if I just swap the "pools" then will I get the result:

eg:

nat (dmz) 1 access-list external_nat

nat (dmz) 2 0.0.0.0 0.0.0.0

global (outside) 1 19.18.25.207

global (outside) 2 interface

so that I can keep my acl to define the interesting hosts. But I must admit that the usage of these pools make me a bit unsecure - there is also other nat statements which is pointing to pool #1 but this shouldn't have any influence on these translations - or? Well - I'll keep you posted

best regards /ti

tiwang · ‎09-08-2011

Hi Varum

You where completely right in the first place - the problem was caused by another static command in the config:

static (dmz,outside) tcp interface https 172.21.245.22 https netmask 255.255.255.255

and the interface ip is 19.18.25.200..

this didn't show up when I looked for the 19.18.25.200 adresses in the config - but I could see that it where there somewhere because of the output from show xlate - so - removed that and we where back on track.

thanks for the help & tips

best regards /ti

varrao · ‎09-08-2011

Hi Tiwag,

Thats awesome, really happy it resolved the issue for you. Do let me know if you have any more concerns

Thanks,

Varun

Thanks,
Varun Rao