GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: PIX NAT?? posted 06/01/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config
/bafwcfg.htm#1063701
Starting with PIX Firewall version 6.2, NAT and PAT can be applied to
traffic from an outside or less secure interface to an inside (more secure)
interface. This functionality is called Outside NAT 
However I just tried it with 6.21 - no luck :(

ip address outside 172.16.10.10 255.255.255.0
ip address inside 172.16.50.1 255.255.255.0
global (inside) 1 interface
nat (outside) 1 172.16.10.64 255.255.255.192 outside 0 0
conduit permit ip any any
No translation group found for icmp src outside:172.16.10.100 dst
inside:172.16.50.5 (type 8, code 0)

> -----Original Message-----
> From: Dong Lin [mailto:dlin22@xxxxxxxxxxx
> Sent: Saturday, May 31, 2003 8:10 PM
> To: ccielab@xxxxxxxxxxxxxx
> Subject: Re: PIX NAT??
> 
> 
> The answer to your question is no.
> 
> nat and global is used to let traffic from high security 
> interface to low
> security interface.
> 
> You need to use static and acl to let traffic from the 
> outside interface to
> the inside interface (nat is performed by static command)
> 
> 
> ----- Original Message ----- 
> From: "Michael Popovich" <michael625@xxxxxxx>
> To: <ccielab@xxxxxxxxxxxxxx>
> Sent: Saturday, May 31, 2003 4:19 AM
> Subject: PIX NAT??
> 
> 
> > Can you NAT from the Outside interface to the Inside interface?
> >
> > I have:
> >
> > nat (outside) 1 0.0.0.0 0.0.0.0
> > global (inside) 1 interface
> >
> > This doesn't seem to work for me, now I am wondering if it 
> is possible.
> >
> > MP

From security-owner@xxxxxxxxxxxxxx Sun Jun  1 02:57:18 2003
Received: from groupstudy.com (localhost [127.0.0.1])
	by groupstudy.com (8.12.8p1/8.12.8) with ESMTP id h512v8d7030378
	GroupStudy Mailer; Sun, 1 Jun 2003 02:57:08 GMT
Received: (from listserver@xxxxxxxxx)
	by groupstudy.com (8.12.8p1/8.12.8/Submit) id h512v85P030377
	GroupStudy Submission Server; Sun, 1 Jun 2003 02:57:08 GMT
Received: from schlep.emanon.com (schlep.emanon.com [208.158.37.22]) by
  groupstudy.com (8.12.8p1/8.12.8) with ESMTP id h512v4d9030324
  GroupStudy Mailer; Sun, 1 Jun 2003 02:57:04 GMT
Received: from [208.158.37.114] by schlep.emanon.com (GMS
  8.01.3088/NT1887.00.097ced12) with ESMTP id fbwhbaaa for
  security@xxxxxxxxxxxxxx; Sat, 31 May 2003 22:46:40 -0400
From: "Scott Morris" <swm@xxxxxxxxxx>
To: "'Volkov, Dmitry \(IDS Canada\)'" <dmitry_volkov@xxxxxxxxx>,
   "'Dong
  Lin'" <dlin22@xxxxxxxxxxx>
Cc: <ccielab@xxxxxxxxxxxxxx>, <michael625@xxxxxxx>, <security@xxxxxxxxxxxxxx>
Subject: RE: PIX NAT??
Date: Sat, 31 May 2003 22:56:18 -0400
Organization: Emanon.com, Inc.
Message-ID: <002e01c327e9$78796230$72259ed0@xxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook, Build 10.0.4024
In-Reply-To: <D360DAE95CE5D311967D00508B95B750057AEF67@xxxxxxxxxxxxxxxxxxxxxx>
X-AntiSpam: Checked for restricted content by Gordano's AntiSpam
  Software
X-ASK-Info: Whitelist match
Sender: nobody@xxxxxxxxxxxxxx
Precedence: bulk
Reply-To: "Scott Morris" <swm@xxxxxxxxxx>

Order of NAT...  Traffic must come in prior to NAT xlate existing.  A
static command will pre-populate.  Try static on your inside guys and
then the outside should work.  At that point, your local host would
think it were being ping'ed by the PIX.

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Volkov, Dmitry (IDS Canada)
Sent: Saturday, May 31, 2003 10:15 PM
To: 'Dong Lin'
Cc: ccielab@xxxxxxxxxxxxxx; 'michael625@xxxxxxx';
'security@xxxxxxxxxxxxxx'
Subject: RE: PIX NAT??


http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/co
nfig
/bafwcfg.htm#1063701
Starting with PIX Firewall version 6.2, NAT and PAT can be applied to
traffic from an outside or less secure interface to an inside (more
secure) interface. This functionality is called Outside NAT 
However I just tried it with 6.21 - no luck :(

ip address outside 172.16.10.10 255.255.255.0
ip address inside 172.16.50.1 255.255.255.0
global (inside) 1 interface
nat (outside) 1 172.16.10.64 255.255.255.192 outside 0 0 conduit permit
ip any any No translation group found for icmp src outside:172.16.10.100
dst inside:172.16.50.5 (type 8, code 0)

> -----Original Message-----
> From: Dong Lin [mailto:dlin22@xxxxxxxxxxx
> Sent: Saturday, May 31, 2003 8:10 PM
> To: ccielab@xxxxxxxxxxxxxx
> Subject: Re: PIX NAT??
> 
> 
> The answer to your question is no.
> 
> nat and global is used to let traffic from high security
> interface to low
> security interface.
> 
> You need to use static and acl to let traffic from the
> outside interface to
> the inside interface (nat is performed by static command)
> 
> 
> ----- Original Message -----
> From: "Michael Popovich" <michael625@xxxxxxx>
> To: <ccielab@xxxxxxxxxxxxxx>
> Sent: Saturday, May 31, 2003 4:19 AM
> Subject: PIX NAT??
> 
> 
> > Can you NAT from the Outside interface to the Inside interface?
> >
> > I have:
> >
> > nat (outside) 1 0.0.0.0 0.0.0.0
> > global (inside) 1 interface
> >
> > This doesn't seem to work for me, now I am wondering if it
> is possible.
> >
> > MP

From security-owner@xxxxxxxxxxxxxx Sun Jun  1 22:35:14 2003
Received: from groupstudy.com (localhost [127.0.0.1])
	by groupstudy.com (8.12.8p1/8.12.8) with ESMTP id h51MZDd7007528
	GroupStudy Mailer; Sun, 1 Jun 2003 22:35:13 GMT
Received: (from listserver@xxxxxxxxx)
	by groupstudy.com (8.12.8p1/8.12.8/Submit) id h51MZDtm007526
	GroupStudy Submission Server; Sun, 1 Jun 2003 22:35:13 GMT
Received: from wstutil12b.ml.com (wstutil12b-v.ml.com [209.65.19.70]) by
  groupstudy.com (8.12.8p1/8.12.8) with ESMTP id h51MZ3d7007456; Sun, 1
  Jun 2003 22:35:04 GMT
Received: from wstutil13b.ml.com (wstutil13b [146.125.185.98]) by
  wstutil12b.ml.com (8.12.9/8.12.5/wstutil12a-1.2) with ESMTP id
  h51MZ3se027061; Sun, 1 Jun 2003 18:35:03 -0400 (EDT)
Received: from ewstwt03.exchange.ml.com (ewstwt03.exchange.ml.com
  [146.125.249.153]) by wstutil13b.ml.com (8.12.9/8.12.5/wstutil13a-1.1)
  with SMTP id h51MZ3ft019667; Sun, 1 Jun 2003 18:35:03 -0400 (EDT)
Received: from 170.240.28.147 by ewstwt03.exchange.ml.com with ESMTP (
  Tumbleweed MMS SMTP Relay (MMS v4.7);); Sun, 01 Jun 2003 18:34:53
  -0400
X-Server-Uuid: 3789b954-9c4e-11d3-af68-0008c73b0911
Received: by etor02.exchange.ml.com with Internet Mail Service (
  5.5.2654.52) id <K519JQ9H>; Sun, 1 Jun 2003 18:34:53 -0400
Message-ID: <D360DAE95CE5D311967D00508B95B750057AEF68@xxxxxxxxxxxxxxxxxxxxxx>
From: "Volkov, Dmitry (IDS Canada)" <dmitry_volkov@xxxxxxxxx>
To: "'Scott Morris'" <swm@xxxxxxxxxx>
cc: ccielab@xxxxxxxxxxxxxx, security@xxxxxxxxxxxxxx
Subject: RE: PIX NAT?? - It works
Date: Sun, 1 Jun 2003 18:34:52 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2654.52)
X-WSS-ID: 12C4A007525674-01-01
Content-Type: text/plain;  charset=us-ascii
Content-Transfer-Encoding: 7bit
X-ASK-Info: Whitelist match
Sender: nobody@xxxxxxxxxxxxxx
Precedence: bulk
Reply-To: "Volkov, Dmitry (IDS Canada)" <dmitry_volkov@xxxxxxxxx>

> -----Original Message-----
> From: Scott Morris [mailto:swm@xxxxxxxxxx]
> Sent: Saturday, May 31, 2003 10:56 PM
> To: 'Volkov, Dmitry (IDS Canada)'; 'Dong Lin'
> Cc: ccielab@xxxxxxxxxxxxxx; michael625@xxxxxxx; 
> security@xxxxxxxxxxxxxx
> Subject: RE: PIX NAT??

Scott,

I didn't quite understand You. Could You please explain it ? Maybe some
example ?
 
> Order of NAT...  Traffic must come in prior to NAT xlate existing.  A
> static command will pre-populate.  Try static on your inside guys and
> then the outside should work.  At that point, your local host would
> think it were being ping'ed by the PIX.

Actually I did a few tests and that's what I found:

We know that for traffic flows from High Sec to the Lower Sec interface - 
nat and global should be configured or static nat (conduit as well)
In case we don't want NAT we have to use "nat (inside) 0" 
The principle is - to be able to pass traffic via PIX we HAVE to configure
NAT in some way.
Here it's said:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config
/bafwcfg.htm#1113519
"Use a natid of 0 with the outside option to disable address translation of
hosts residing on the lower security interface. Use this option only if
outside dynamic NAT is configured on the interface. By default, address
translation is automatically disabled for hosts connected to the lower
security interface."

We don't see "nat (outside) 0" but it's there. On Higher Sec interface it
should be define explicitly (if we want it)
In normal setup we have internal networks PAT'd behind outside and returning
packets are not additionally 
translated (because : "By default, address translation is automatically
disabled for hosts connected to the lower security interface") and
translated back using PAT we configured. 
PIX will veryfy if translation already exists and if it doesn't it will
check "nat (interface) 0" if packet match it will proceed.

So I added "nat (inside) 0 acl" and "nat (outside) 0 acl outside" and I got
2 PATs  working both ways.
The Idea here - Packets going through PIX and being PAT'd should come back
without any additional translation: 
we have to use "nat (interface) 0"
If we have network(s) A and we PAT it in one way and we have network(s) B
and we PAT them in the other way,
these networks : A and B will not be able to talk to each other.
I believe it's true for any firewall. Checkpoint works the same way.

Here is config:
Test-Host(172.16.50.100)------(in)PIX(out)-----Test-Host(172.16.10.100)
Net 172.16.50.64/26  is PAT'd on outside interface and accesses Net
172.16.10.0/29
Net 172.16.10.64/26  is PAT'd on inside interface and accesses Net
172.16.50.0/29

access-list 2-OUTSIDE permit ip 172.16.50.0 255.255.255.192 any  
access-list 2-INSIDE permit ip 172.16.10.0 255.255.255.192 any 
ip address outside 172.16.10.10 255.255.255.0
ip address inside 172.16.50.1 255.255.255.0
global (outside) 1 interface
global (inside) 2 interface
nat (outside) 0 access-list 2-INSIDE outside
nat (outside) 2 172.16.10.64 255.255.255.192 outside 0 0
nat (inside) 0 access-list 2-OUTSIDE
nat (inside) 1 172.16.50.64 255.255.255.192 0 0
conduit permit ip any any

ping from 172.16.50.100 to 172.16.10.1
609001: Built local-host inside:172.16.50.100
305011: Built dynamic ICMP translation from inside:172.16.50.100/768 to
outside:172.16.10.10/6

ping from 172.16.10.100 to 172.16.50.5
609001: Built local-host inside:172.16.50.5
609001: Built local-host outside:172.16.10.100
305011: Built dynamic ICMP translation from outside:172.16.10.100/512 to
inside:172.16.50.1/67
sh xlate
2 in use, 20 most used
PAT Global 172.16.50.1(67) Local 172.16.10.100 ICMP id 512 
PAT Global 172.16.10.10(6) Local 172.16.50.100 ICMP id 768 

a few more telnet sessions:
PAT Global 172.16.50.1(1024) Local 172.16.10.100(4593) 
PAT Global 172.16.50.1(1026) Local 172.16.10.100(4608) 
PAT Global 172.16.10.10(1025) Local 172.16.50.100(1077) 
PAT Global 172.16.10.10(1) Local 172.16.50.100(137) 
PAT Global 172.16.10.10(1024) Local 172.16.50.100(1075) 

As far as I understand 6.3 allows to use ACL with nat statement other than
"0":
"nat interface natid access-list acl-name outside" - It seems to be mach
more flexible.

Dmitry

> 
> -----Original Message-----
> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On 
> Behalf Of
> Volkov, Dmitry (IDS Canada)
> Sent: Saturday, May 31, 2003 10:15 PM
> To: 'Dong Lin'
> Cc: ccielab@xxxxxxxxxxxxxx; 'michael625@xxxxxxx';
> 'security@xxxxxxxxxxxxxx'
> Subject: RE: PIX NAT??
> 
> 
> http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_
> sw/v_62/co
> nfig
> /bafwcfg.htm#1063701
> Starting with PIX Firewall version 6.2, NAT and PAT can be applied to
> traffic from an outside or less secure interface to an inside (more
> secure) interface. This functionality is called Outside NAT 
> However I just tried it with 6.21 - no luck :(
> 
> ip address outside 172.16.10.10 255.255.255.0
> ip address inside 172.16.50.1 255.255.255.0
> global (inside) 1 interface
> nat (outside) 1 172.16.10.64 255.255.255.192 outside 0 0 
> conduit permit
> ip any any No translation group found for icmp src 
> outside:172.16.10.100
> dst inside:172.16.50.5 (type 8, code 0)
> 
> > -----Original Message-----
> > From: Dong Lin [mailto:dlin22@xxxxxxxxxxx
> > Sent: Saturday, May 31, 2003 8:10 PM
> > To: ccielab@xxxxxxxxxxxxxx
> > Subject: Re: PIX NAT??
> > 
> > 
> > The answer to your question is no.
> > 
> > nat and global is used to let traffic from high security
> > interface to low
> > security interface.
> > 
> > You need to use static and acl to let traffic from the
> > outside interface to
> > the inside interface (nat is performed by static command)
> > 
> > 
> > ----- Original Message -----
> > From: "Michael Popovich" <michael625@xxxxxxx>
> > To: <ccielab@xxxxxxxxxxxxxx>
> > Sent: Saturday, May 31, 2003 4:19 AM
> > Subject: PIX NAT??
> > 
> > 
> > > Can you NAT from the Outside interface to the Inside interface?
> > >
> > > I have:
> > >
> > > nat (outside) 1 0.0.0.0 0.0.0.0
> > > global (inside) 1 interface
> > >
> > > This doesn't seem to work for me, now I am wondering if it
> > is possible.
> > >
> > > MP

From security-owner@xxxxxxxxxxxxxx Sun Jun  1 22:41:24 2003
Received: from groupstudy.com (localhost [127.0.0.1])
	by groupstudy.com (8.12.8p1/8.12.8) with ESMTP id h51MfOd7008240
	GroupStudy Mailer; Sun, 1 Jun 2003 22:41:24 GMT
Received: (from listserver@xxxxxxxxx)
	by groupstudy.com (8.12.8p1/8.12.8/Submit) id h51MfOj5008239
	GroupStudy Submission Server; Sun, 1 Jun 2003 22:41:24 GMT
Received: from smtp.poss.com (endeavor.poss.com [198.70.184.137]) by
  groupstudy.com (8.12.8p1/8.12.8) with ESMTP id h51MdQd7007884
  GroupStudy Mailer; Sun, 1 Jun 2003 22:39:27 GMT
Received: from conversion-daemon.endeavor.poss.com by endeavor.poss.com
  (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) id
  <0HFT00D01PNKWB@xxxxxxxxxxxxxxxxx> for security@xxxxxxxxxxxxxx; Sun,
  01 Jun 2003 18:39:20 -0400 (EDT)
Received: from perfectorder.com ([192.168.1.100]) by endeavor.poss.com
  (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with
  ESMTPA id <0HFT006U6QXJD7@xxxxxxxxxxxxxxxxx> for
  security@xxxxxxxxxxxxxx; Sun, 01 Jun 2003 18:39:20 -0400 (EDT)
Date: Sun, 01 Jun 2003 18:39:13 -0400
From: Sean Garrett <sgarrett@xxxxxxxxxxxxxxxx>
Subject: Logging Synchronous
To: security@xxxxxxxxxxxxxx
Message-id: <3EDA8091.7070101@xxxxxxxxxxxxxxxx>
MIME-version: 1.0
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
X-Accept-Language: en-us, en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2)
  Gecko/20030208 Netscape/7.02
References:  <38982D8C2B2D034D95AECAD890462FA90107BEC5@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
X-ASK-Info: Confirmed by User
X-Converted-To-Plain-Text: from text/html by GroupStudy
Sender: nobody@xxxxxxxxxxxxxx
Precedence: bulk
Reply-To: Sean Garrett <sgarrett@xxxxxxxxxxxxxxxx>

 Hi all

This is probably an easy one,  but does anybody know of an equivalent
command
for 'logging synchronous' under the console or vty of a router,  but on
the pix (6.3)
that would repaint my prompt after getting the system messages?

If I'm logging console 7 (in a lab environment only) and want to get my
prompt back
while seeing the console messages go by.  I didn't find it on CCO
anywhere.
Just curious.  I'm new to the list and also wanted to send a test
message.

Thanks,

Sean Garrett, CCIE#11390
Sr Network Engineer
Perfect Order Inc.
CCNP MCSE MCNE
Cell: 717-571-2603sgarrett@xxxxxxxxxxxxxxxx

From security-owner@xxxxxxxxxxxxxx Mon Jun  2 02:47:06 2003
Received: from groupstudy.com (localhost [127.0.0.1])
	by groupstudy.com (8.12.8p1/8.12.8) with ESMTP id h522l6d7030038
	GroupStudy Mailer; Mon, 2 Jun 2003 02:47:06 GMT
Received: (from listserver@xxxxxxxxx)
	by groupstudy.com (8.12.8p1/8.12.8/Submit) id h522l6ev030037
	GroupStudy Submission Server; Mon, 2 Jun 2003 02:47:06 GMT
Received: from hellofire.hellocomputers.com
  (w059.z208176028.sjc-ca.dsl.cnc.net [208.176.28.59]) by groupstudy.com
  (8.12.8p1/8.12.8) with ESMTP id h522l4d7030015 GroupStudy Mailer; Mon,
  2 Jun 2003 02:47:04 GMT
Received: by hellofire.hellocomputers.com with Internet Mail Service
  (5.5.2653.19) id <LTK14J7Y>; Sun, 1 Jun 2003 19:43:09 -0700
Message-ID: <9018F6491EE9D311915400104B9CFA360112BB13@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
From: Keyur Shah <kshah@xxxxxxxxxxxxxxxxxx>
To: "'Sean Garrett'" <sgarrett@xxxxxxxxxxxxxxxx>, security@xxxxxxxxxxxxxx
Subject: RE: Logging Synchronous
Date: Sun, 1 Jun 2003 19:43:08 -0700 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="us-ascii"
X-ASK-Info: Whitelist match
X-Converted-To-Plain-Text: from multipart/alternative by GroupStudy
X-Converted-To-Plain-Text: Alternative section used was text/plain
Sender: nobody@xxxxxxxxxxxxxx
Precedence: bulk
Reply-To: Keyur Shah <kshah@xxxxxxxxxxxxxxxxxx>

Manually, ctrl-l would repaint the screen. Don't know of logging synchronous
equivalent cmd on pix though.

-Keyur Shah-
CCIE# 4799 (Security;R/S)
CCSI# 25047; CISSP# 28799
CCSP,CWNA,Cisco Wireless, CCSA, SCNA, MCSE,MCT,MCNE,CNI
Hello Computers
"Say Hello to Your Future!"
http://www.hellocomputers.com
Toll-Free: 1.877.79.HELLO


-----Original Message-----
From: Sean Garrett [mailto:sgarrett@xxxxxxxxxxxxxxxx] 
Sent: Sunday, June 01, 2003 3:39 PM
To: security@xxxxxxxxxxxxxx
Subject: Logging Synchronous


 Hi all

This is probably an easy one,  but does anybody know of an equivalent
command for 'logging synchronous' under the console or vty of a router,  but
on the pix (6.3) that would repaint my prompt after getting the system
messages?

If I'm logging console 7 (in a lab environment only) and want to get my
prompt back while seeing the console messages go by.  I didn't find it on
CCO anywhere. Just curious.  I'm new to the list and also wanted to send a
test message.

Thanks,

Sean Garrett, CCIE#11390
Sr Network Engineer
Perfect Order Inc.
CCNP MCSE MCNE
Cell: 717-571-2603sgarrett@xxxxxxxxxxxxxxxx