Re: Unique POLICY NAT requirement

sreddy · ‎10-19-2004

Hello team,

I have a unique policy NAT kind of a requirement.

Description of the network:

External customers-----------Internet cloud-------PIX (FWSM blade) ---------SVR-1 + SVR-2

(10.10.0.46) (10.10.0.47)

Two external IPs are mapped to two internal servers with extended NATing :

192.168.0.46 to 10.10.0.46 --- tcp port 25

192.168.0.47 to 10.10.0.47 --- tcp port 25

GOAL:

My goal is to achieve the following:

1. I should be able to send all out going UDP traffic from internal servers to outside world as 192.168.0.48 (as one single source IP) – For external customers it should appear as one single IP – 192.168.0.48.

2. From outside cloud, I should also be able to telnet to external IPs 192.168.0.46 (port 25) and 192.168.0.47 (port 25).

3. From outside cloud, I should also be able to ping 192.168.0.46 and 192.168.0.47 IP addresses.

I have the following configuration for above requirement, I could achieve goals 1 and 2 but not 3. Please let me know if you have any better ideas to achieve all three goals:

Is it possible to set up ICMP proxy on PIX firewall to respond for incoming ICMP queries from Internet cloud for internal servers (to achieve goal #3)?

static (intf-2,outside) tcp 192.168.0.46 25 10.10.0.46 25 netmask 255.255.255.255

static (intf-2,outside) tcp 192.168.0.47 25 10.10.0.47 25 netmask 255.255.255.255

access-list acl_out permit tcp any host 192.168.0.46 eq 25

access-list acl_out permit tcp any host 192.168.0.47 eq 25

access-list acl_out permit icmp any host 192.168.0.46

access-list acl_out permit icmp any host 192.168.0.47

access-list police permit udp 10.10.0.0 255.255.255.0 any eq 9000

access-list police permit udp 10.10.0.0 255.255.255.0 any eq 9001

access-list police permit tcp 10.10.0.0 255.255.255.0 any

access-list police permit icmp 10.10.0.0 255.255.255.0 any

access-group police in interface intf-2

nat (intf-2) 10 access-list police

global (intf-2) 10 192.168.0.48

ehirsel · ‎10-31-2004

What level of code are you running on the FWSM module?

You may be able to use acls in the static statements the way you can with a pix running 6.3.3 code. It would go something like this:

acl udp_acl01 permit udp host 10.0.0.46 any

acl udp_acl01 permit udp host 10.0.0.47 any

static (intf-2, outside) 192.168.0.48 access-list udp_acl01

acl icmp_tcp_acl01 permit tcp host 10.0.0.46 any

acl icmp_tcp_acl01 permit icmp host 10.0.0.46 any

static (intf-2, outside) 192.168.0.46 access-list icmp_tcp_acl01

acl icmp_tcp_acl02 permit tcp host 10.0.0.47 any

acl icmp_tcp_acl02 permit icmp host 10.0.0.47 any

static (intf-2, outside) 192.168.0.47 access-list icmp_tcp_acl02

Note that the acl's do not define ports, but they only apply to interesting traffic as far as nat is concerned. You would still have acl statments that determine whether or not do drop packets.

As static overrides nat and global, you can remove the acl named police and the nat 10 and global 10 statments that go along with it.

Let me know if this helps.

Patrick Iseli · ‎11-01-2004

You configured:

nat (intf-2) 10 access-list police

global (intf-2) 10 192.168.0.48

It should be:

nat (intf-2) 10 10.10.0.0 255.255.255.0

# in the nat we do not care about ip, udp, tcp or icmp . This is an access-list on the interface!!

global (outside) 10 192.168.0.48

# Port Address Translation to the outside interface.

Syntax:

nat (inside) 1 Loalnet LocalSubnet

global (outside) 1 OUTSIDEIP

See this document:

Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

sincerely

Patrick

sreddy · ‎11-01-2004

Thanks for your valuable input…

I'm planning to upgrade FWSM to 2x.

Also I upgraded PIX to 6.3.4 and tried these commands...

Static statements with access-lists only accept UDP and TCP connections, not ICMP connections.

Here’s what the problem is:

acl icmp_tcp_acl01 permit tcp host 10.0.0.46 any

acl icmp_tcp_acl01 permit icmp host 10.0.0.46 any

static (intf-2, outside) 192.168.0.46 access-list icmp_tcp_acl01 (if you specify TCP or UDP in any of your access-list, you need to specify same tcp or udp parameter in static statement too.. like

static (intf-2, outside) tcp 192.168.0.46 smtp access-list icmp_tcp_acl01

However you cannot specify ICMP in this statement because the options are only “tcp|udp” ---- no ICMP. PIX will throw following error:

ERROR: cannot translate from IP protocol icmp to IP protocol ip

TCP and UDP static translations work fine from static statements, but ICMP is my main problem because static commands don’t accept ICMP option.

Please let me know if anyone has ideas to get around this ICMP problem.

Also a quick doubt:

Is it possible to configure PIX to respond to ICMP requests from internet cloud to PAT addresses. à Can I ping PAT address of PIX interface from outside?

Thanks in advance…

S

vtaranov · ‎11-12-2004

Pix won't do proxy ping, i.e. respond on behalf.

To resolve your 3rd point you'd need to set up a static NAT without specifying tcp 25, i.e.:

static (intf-2,outside) 192.168.0.46 10.10.0.46 netmask 255.255.255.255

static (intf-2,outside) 192.168.0.47 10.10.0.47 netmask 255.255.255.255

and then apply an access-list to intf-2 to allow only smtp 25 and icmp.

that's the only way to make it work