Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
385
Views
0
Helpful
6
Replies

translation question

mjsully
Level 1
Level 1

‎05-04-2006 05:55 AM - edited ‎03-09-2019 02:48 PM

I have a PIX firewall with a dmz interface that VPN users come into. I would like to be able to define that a range of 4 source ip addresses coming into the dmz interface be able to go anywhere on the inside interface. I know I need an acl permitting the ip range through, but I need to set the translations so that they can go to any destination on the inside via its true inside address. I can't create a blanket config like "static (dmz,inside) 10.0.0.0 10.0.0.0, because that will conflict with other statics between those interfaces and I don't want any ip coming into the VPN dmz to be able to go to these inside addresses. How do I set it up so that only the 4 static ip addresses can go to any destination inside address without the normal need for creating a static statement for each destination they need to go, at the same time without this config interfering with anything else?

Labels:
0 Helpful
6 Replies 6

dominic.caron
Level 5
Level 5

‎05-04-2006 06:35 AM

Use NAT exemption (nat 0 access-list)

Something like

permit ip (your 4 range) to (your internal network)

It's less flexible than static statement but if you dont have any need(now and in the future) for nat between those two interface, it's a simple config and can handle two way trafic.

Work's for me, I have 6 networks in my DMZ(VPN and AS) and I use that solution. NAT toward outside and NAT exemtion to inside.

0 Helpful

a.kiprawih
Level 7
Level 7

‎05-04-2006 06:44 AM

Hi,

I think the feature you're looking at is more or less similar to "outside NAT".

Maybe you can follow basic guide at the following url:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113519

Maybe you can do something like this, since you mentioned it was for 4 IP Addresses:

nat (outside) 1 x.x.x.1 255.255.255.255 outside

nat (outside) 2 x.x.x.2 255.255.255.255 outside

nat (outside) 3 x.x.x.3 255.255.255.255 outside

nat (outside) 4 x.x.x.4 255.255.255.255 outside

global (inside) 1 y.y.y.1

global (inside) 2 y.y.y.2

global (inside) 3 y.y.y.3

global (inside) 4 y.y.y.4

Then use ACL to permit the 4 addresses to reach any internal IP/subnets.

Hope this helps.

Rgds,

AK

0 Helpful

mjsully
Level 1
Level 1
In response to a.kiprawih

‎05-04-2006 07:21 AM

I'm a little confused. Doesn't doing the nat(outside) translate the source ip addresses to whatever is defined with the matching global statement? If I'm going from a dmz interface to a inside interface, I need a translation on the destination, not the source. Correct?

My internal network on the inside of the PIX is a 10.0.0.0/8, I want these 4 vpn users to be able to access any destination 10.0.0.0 address without having to translate each destination host individually. If I wasn't worried about it conflicting with other config, I'd just do a "static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0". However, that would be a blanket translation for anyone going to the inside network, I only want it to affect the 4 vpn users. right now, for example, if I want a specific vpn user to access the 10.1.1.1 server, I have to do a "static (inside,dmz) 10.1.1.1 10.1.1.1 netmask 255.255.255.255". As there are countless inside hosts that these 4 vpn users could be accessing, I don't want to have to do an individual translation for each possible destination address.

0 Helpful

grant.maynard
Level 4
Level 4
In response to mjsully

‎05-04-2006 08:04 AM

So you want to allow certain IPs on a DMZ (not the outside) to get to the inside?

This is low -> high security level, therefore you need static NAT (for inside IPs) and ACL entries, along the lines of:

static (inside,dmz) inside_subnet inside_subnet netmask ...

access-list in_dmz permit specific_IPs inside_IPs

0 Helpful

mjsully
Level 1
Level 1
In response to grant.maynard

‎05-04-2006 08:43 AM

If I did that:

static (inside,dmz) inside_subnet inside_subnet netmask ...

How would this lock it down to only the 4 vpn users? Wouldn't that be a global command that affected everything? Is there a way to static against an access-list?

0 Helpful

dominic.caron
Level 5
Level 5

‎05-04-2006 02:24 PM

I still think you can use nat exemption

access-list no-nat permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

access-list no-nat permit icmp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

nat (dmz) 0 access-list no-nat

0 Helpful
Customers Also Viewed These Support Documents