Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2406
Views
12
Helpful
8
Replies

NAT 0 access-list

Go to solution
ditscap
Level 1
Level 1

‎01-23-2004 07:15 PM - edited ‎02-20-2020 09:23 PM

NAT Timeout values with NAT 0

A server on the outside of the firewall initiates a session to the server on the inside. The server on the inside stores the session via IP Address and Source port... this connection needs to stay open, but if there is no communication after the time alloted in the xl timeout, it is torn down... then, the server on the outside initiates another session with a different source port.. after this happens several times, the service on the internal server dies.

If I use:

access-list notimeout permit ip host 10.10.10.4 255.255.255.255 any

nat (outside) 0 access-list notimeout

Since the pix doesn't build an xlate table, will this bypass the timeout for the xlate? Once 10.10.10.4 makes a conneciton to a host on the otherside of the pix, will it be able to be idle indefinitely?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scoclayton
Level 7
Level 7
In response to ditscap

‎01-27-2004 07:05 AM

Sure, but you have a few syntax issues. Refer to the following:

Pix#(config)access-list No-Timeout permit ip host 10.10.10.1 host 172.16.1.1

Pix#(config)nat (inside) 0 access-list No-Timeout

Pix#(config)timeout conn 0:0:0

** No need for the all 255 mask when you specify host. And you want to apply the NAT to the inside interface. The translations when using a nat 0 ACL can still be built from the less secure interface. And your timeout on the conn is going to be global. I do not recommend using this as it can cause adverse effects. Every conn that is left in an open state incorrectly will never be cleared from the PIX conn table. This can cause memory depletion over time so if you are going to do this, please check the 'sh conn count' and 'sh conn detail' output often and make sure you do not have a lot of open conns on the PIX. It may require manual intervention from you to either clear the conns or reload the PIX.

If you are in a situation where the connection needs to remain open indefinetly between these machines, you may be better off locating these two hosts on the same segment so as not to have take these steps. Just a thought.

Scott

View solution in original post

0 Helpful
8 Replies 8

Go to solution
nkhawaja
Cisco Employee
Cisco Employee

‎01-23-2004 07:38 PM

Hi,

since with NAT0 we are bypassing the translation table, the xlat timeout should not be an issue here (Could someone else correct me, if translation table builds up with NAT0+acccess-list) but the connection timeout will still be there.

Thanks

Nadeem

Go to solution
pd-yca
Level 1
Level 1

‎01-24-2004 07:29 PM

Of course, if you "nat 0" the inside address, that address will have to be routable on the outside of your PIX.

Have you looked at the "timeout" command? Perhaps you can adjust the "xlate" and "conn" parameters (defaults: 3 hrs and 1 hr, respectively) to exceed the intervals of inactivity between the servers.

Go to solution
ditscap
Level 1
Level 1
In response to pd-yca

‎01-24-2004 08:31 PM

This is a firewall within in the campus network. The devices behind the firewall are medical devices that have to be isolated from the rest of the network and only talk to a few devices on the LAN. The problem is, over night, there aren't as many xrays and data being passed back and forth... but when data is passed after the conneciton has timed out, it opens up a new session wich causes the service to freak (old 1960's technology that isn't going to be updated)... So, if I use nat 0 access-list, I can bypass the xlate timeout, but will have to up the connection timeout by quite a bit?

0 Helpful

Go to solution
ditscap
Level 1
Level 1
In response to ditscap

‎01-26-2004 11:00 AM

Since the device initiating the contact is on the outside interface, will this still work? Can I nat 0 access-list on the outside? Example:

Server1 - IP Address is 10.10.10.1 (The one making the connection)

Server2 - IP Address is 172.16.1.1 (The one on the inside of the firewall being connected to)

Pix#(config)access-list No-Timeout permit ip host 10.10.10.1 255.255.255.255 host 172.16.1.1 255.255.255.255

Pix#(config)nat (outside) 0 access-list No-Timeout

Pix#(config)timeout conn 0:0:0

Thanks

0 Helpful

Go to solution
ditscap
Level 1
Level 1
In response to ditscap

‎01-27-2004 05:43 AM

Any comments on my last question? Any one?

0 Helpful

Go to solution
tgrundbacher
Level 1
Level 1
In response to ditscap

‎01-27-2004 06:49 AM

I'm not sure about the xlate timers and how to avoid them. Yet, I have some comment on your last question, the nat 0 on the outside.

It took me some time to understand it: I had a project where I had to transparently route initiating hosts from the outside to the inside. Even then you need to nat 0 the inside network/hosts TOWARDS the OUTSIDE. It's the only simple way to 1:1 translate addresses, regardless who initiates the connection; that is, doing it from the higher security level to the lower one. A simple example is:

access-list range_any permit ip

nat (inside) 0 access-list range_any

Of course you shouldn't forget to permit your desired protocols inbound on the outside int.

Tell me if that worked.

Toni

Go to solution
scoclayton
Level 7
Level 7
In response to ditscap

‎01-27-2004 07:05 AM

Sure, but you have a few syntax issues. Refer to the following:

Pix#(config)access-list No-Timeout permit ip host 10.10.10.1 host 172.16.1.1

Pix#(config)nat (inside) 0 access-list No-Timeout

Pix#(config)timeout conn 0:0:0

** No need for the all 255 mask when you specify host. And you want to apply the NAT to the inside interface. The translations when using a nat 0 ACL can still be built from the less secure interface. And your timeout on the conn is going to be global. I do not recommend using this as it can cause adverse effects. Every conn that is left in an open state incorrectly will never be cleared from the PIX conn table. This can cause memory depletion over time so if you are going to do this, please check the 'sh conn count' and 'sh conn detail' output often and make sure you do not have a lot of open conns on the PIX. It may require manual intervention from you to either clear the conns or reload the PIX.

If you are in a situation where the connection needs to remain open indefinetly between these machines, you may be better off locating these two hosts on the same segment so as not to have take these steps. Just a thought.

Scott

0 Helpful

Go to solution
pokwan
Level 1
Level 1
In response to scoclayton

‎01-28-2004 04:17 PM

Scott,

I am confused, shouldn't the syntax be

Pix#(config)access-list No-Timeout permit ip host 172.16.1.1 host 10.10.10.1?

Thanks.

PF

0 Helpful
Customers Also Viewed These Support Documents