Re: NAT/PAT form outside to DMZ

Rene.Stockum · ‎02-21-2005

Hi all,

I have following problem with NAT/PAT on my PIX 515:

all incomming traffic from outside to dmz_host to be hide on DMZ interface (no outside sources are to be visible) - and this is the statement:

global (DMZ) 1 interface

nat (outside) 1 0.0.0.0 0.0.0.0 outside 0 0

this works successfully - so far so good ...

further I want to hide all outgoing traffic from DMZ to outside and I use this statement:

global (outside) 1 interface

nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0

but! now I've got the message: No translation group found for tcp src DMZ:dmz_host/32793 dst outside:outside_host/22

I have tried all thinkable combinations (different global group ID's; dedicated PAT IP's instead of interface ip, aso.), but I've got still the error message :-(

The separated global/nat statements works fine, not both together, but I need it.

pls help me! thx

mhussein · ‎02-22-2005

I am not sure if I understand your scenario correctly. But if you combine all these configs:

global (DMZ) 1 interface

global (outside) 1 interface

nat (outside) 1 0.0.0.0 0.0.0.0 outside 0 0

nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0

Noticing that the nat id's are all 1's, then the following should occur:

1. For inbound traffic from outside to DMZ, outside ip source addresses are translated to DMZ's interface ip address

2. For outbound traffic from DMZ to outside, DMZ ip addresses are translated to outside interface's ip address.

Now here is the confusing part, a connection initiated from the DMZ to an outside ip address will be translated to the pix outside's ip address, but will the reply from outside be translated again to the DMZ's ip address? Or will the reply keep its initial ip address on the established connections table?

May be you can try assigning different id's to the second pair of nat/global, e.g 2:

global (outside) 2 interface

nat (DMZ) 2 0.0.0.0 0.0.0.0 0 0

Please post your configs and elaborate on why you need to configure outside nat

Regards

Mustafa

Rene.Stockum · ‎02-23-2005

Hi Mustafa,

thanks for the answer.

I have tried already different nat id's and the result was the same. You can use different nat id's if you map different internal subnets to different nat ip addresses, for example:

global (outside) 1 192.168.0.10 netmask 255.255.255.0

global (outside) 2 192.168.0.20 netmask 255.255.255.0

nat (inside) 1 10.10.10.0 255.255.255.0

nat (inside) 2 10.10.20.0 255.255.255.0

I hope the PIX knows the difference between initial- and reply packets ;-)

The reason for "nat (outside)" is one of our security policies on additional firewall deep in the internal network - no "any rules" are allowed here!

global (outside) 2 interface

global (DMZ_ext) 1 interface

global (DMZ_int) 1 interface

nat (outside) 1 0.0.0.0 0.0.0.0 outside 0 0

nat (DMZ_ext) 2 0.0.0.0 0.0.0.0 0 0

static (inside,NET1_ext) inside_host1 inside_host1 netmask 255.255.255.255 0 0

static (inside,NET1_ext) inside_host2 inside_host2 netmask 255.255.255.255 0 0

static (DMZ_int,outside) pub.lic.ip.10 DMZ_int_host1 netmask 255.255.255.255 0 0

static (DMZ_int,outside) pub.lic.ip.11 DMZ_int_host2 netmask 255.255.255.255 0 0

static (DMZ_int,outside) pub.lic.ip.12 DMZ_int_host3 netmask 255.255.255.255 0 0

static (DMZ_ext,outside) pub.lic.ip.13 DMZ_ext_host1 netmask 255.255.255.255 0 0

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ_ext security20

nameif ethernet3 NET1_ext security15

nameif ethernet4 DMZ_int security80

nameif ethernet5 failover security90

@gfullage

I will try your hint.

thx again

gfullage · ‎02-22-2005

Outside PAT will do this to you, because you basically "hid" the entire Internet behind the PIX's dmz interface address, making it unreachable. Consider the reverse scenario with normal outbound PAT, your entire inside network is hidden behind the PIX's outside interface, and is thus unreachable from the outside (and why you need to configure a static to allow access).

First of all, make sure you use different NAT ID's in your inside and outside nat/global pairs as follows:

global (DMZ) 5 interface

nat (outside) 5 0.0.0.0 0.0.0.0 outside 0 0

global (outside) 6 interface

nat (DMZ) 6 0.0.0.0 0.0.0.0 0 0

Then, to allow outbound access you have to modify your outside-NAT statement to specifically NOT NAT all other traffic other than that destined for your inside host. Do this with:

static (inside,outside) x.x.x.x y.y.y.y

access-list nonatoutside deny ip any host y.y.y.y

access-list nonatoutside permit ip any any

nat (outside) 0 access-list nonatoutside outside

I realise this looks confusing, but it says not to nat all other traffic other than that destined for your inside host. This way they'll be able to get out OK. Traffic outbound from your inside host will use the static as normal and that'll work fine also.

Rene.Stockum · ‎02-23-2005

Thank you!

see above ...