02-21-2005 03:08 AM - edited 03-09-2019 10:24 AM
Hi all,
I have following problem with NAT/PAT on my PIX 515:
all incomming traffic from outside to dmz_host to be hide on DMZ interface (no outside sources are to be visible) - and this is the statement:
global (DMZ) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0 outside 0 0
this works successfully - so far so good ...
further I want to hide all outgoing traffic from DMZ to outside and I use this statement:
global (outside) 1 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
but! now I've got the message: No translation group found for tcp src DMZ:dmz_host/32793 dst outside:outside_host/22
I have tried all thinkable combinations (different global group ID's; dedicated PAT IP's instead of interface ip, aso.), but I've got still the error message :-(
The separated global/nat statements works fine, not both together, but I need it.
pls help me! thx
02-22-2005 04:50 PM
I am not sure if I understand your scenario correctly. But if you combine all these configs:
global (DMZ) 1 interface
global (outside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0 outside 0 0
nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
Noticing that the nat id's are all 1's, then the following should occur:
1. For inbound traffic from outside to DMZ, outside ip source addresses are translated to DMZ's interface ip address
2. For outbound traffic from DMZ to outside, DMZ ip addresses are translated to outside interface's ip address.
Now here is the confusing part, a connection initiated from the DMZ to an outside ip address will be translated to the pix outside's ip address, but will the reply from outside be translated again to the DMZ's ip address? Or will the reply keep its initial ip address on the established connections table?
May be you can try assigning different id's to the second pair of nat/global, e.g 2:
global (outside) 2 interface
nat (DMZ) 2 0.0.0.0 0.0.0.0 0 0
Please post your configs and elaborate on why you need to configure outside nat
Regards
Mustafa
02-23-2005 12:42 AM
Hi Mustafa,
thanks for the answer.
I have tried already different nat id's and the result was the same. You can use different nat id's if you map different internal subnets to different nat ip addresses, for example:
global (outside) 1 192.168.0.10 netmask 255.255.255.0
global (outside) 2 192.168.0.20 netmask 255.255.255.0
nat (inside) 1 10.10.10.0 255.255.255.0
nat (inside) 2 10.10.20.0 255.255.255.0
I hope the PIX knows the difference between initial- and reply packets ;-)
The reason for "nat (outside)" is one of our security policies on additional firewall deep in the internal network - no "any rules" are allowed here!
global (outside) 2 interface
global (DMZ_ext) 1 interface
global (DMZ_int) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0 outside 0 0
nat (DMZ_ext) 2 0.0.0.0 0.0.0.0 0 0
static (inside,NET1_ext) inside_host1 inside_host1 netmask 255.255.255.255 0 0
static (inside,NET1_ext) inside_host2 inside_host2 netmask 255.255.255.255 0 0
static (DMZ_int,outside) pub.lic.ip.10 DMZ_int_host1 netmask 255.255.255.255 0 0
static (DMZ_int,outside) pub.lic.ip.11 DMZ_int_host2 netmask 255.255.255.255 0 0
static (DMZ_int,outside) pub.lic.ip.12 DMZ_int_host3 netmask 255.255.255.255 0 0
static (DMZ_ext,outside) pub.lic.ip.13 DMZ_ext_host1 netmask 255.255.255.255 0 0
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ_ext security20
nameif ethernet3 NET1_ext security15
nameif ethernet4 DMZ_int security80
nameif ethernet5 failover security90
@gfullage
I will try your hint.
thx again
02-22-2005 05:24 PM
Outside PAT will do this to you, because you basically "hid" the entire Internet behind the PIX's dmz interface address, making it unreachable. Consider the reverse scenario with normal outbound PAT, your entire inside network is hidden behind the PIX's outside interface, and is thus unreachable from the outside (and why you need to configure a static to allow access).
First of all, make sure you use different NAT ID's in your inside and outside nat/global pairs as follows:
global (DMZ) 5 interface
nat (outside) 5 0.0.0.0 0.0.0.0 outside 0 0
global (outside) 6 interface
nat (DMZ) 6 0.0.0.0 0.0.0.0 0 0
Then, to allow outbound access you have to modify your outside-NAT statement to specifically NOT NAT all other traffic other than that destined for your inside host. Do this with:
static (inside,outside) x.x.x.x y.y.y.y
access-list nonatoutside deny ip any host y.y.y.y
access-list nonatoutside permit ip any any
nat (outside) 0 access-list nonatoutside outside
I realise this looks confusing, but it says not to nat all other traffic other than that destined for your inside host. This way they'll be able to get out OK. Traffic outbound from your inside host will use the static as normal and that'll work fine also.
02-23-2005 12:50 AM
Thank you!
see above ...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide