RE: PIX NAT??

From: Scott Morris (swm@emanon.com)
Date: Sat May 31 2003 - 22:55:47 GMT-3

• Next message: Volkov, Dmitry (IDS Canada): "RE: PIX NAT??"
• Next in thread: Volkov, Dmitry (IDS Canada): "RE: PIX NAT??"
• Maybe reply: Volkov, Dmitry (IDS Canada): "RE: PIX NAT??"
• Maybe reply: Scott Morris: "RE: PIX NAT??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Incorrect. You can translate outside source addresses as well. In 6.2
and later, there is an 'outside' parameter that is added to the NAT line
(or static line) in order for you to "tell" the NAT code that you want
to translate outside (aka foreign) source address to something as an
inside local. (Previous to 6.2, use the 'alias' command)

Now, the concept you have below really isn't feasible, but I'm not
entirely sure that it isn't possible! The difficulty with doing it, is
that by translating the outside world's addresses to the PIX interface
address, you are going to DEFINITELY cut off any conversations starting
from your inside network going to the outside world, since there would
be no xlate or state.

So, I guess what I'm trying to say is that even if logically it would
work, that's a really ugly method of restricting things. Just use an
ACL on your inside interface to limit outbound stuff!

However, NORMAL NAT logic is exactly as Dong Lin described, which is
translating the inside source address from a higher to lower interface,
and the reason that most say to use static and acl/conduit has to do
with the order of things. A connection is not possible at all if a
translation doesn't already exist. STATIC commands will pre-populate
the xlate table. NAT commands don't work until traffic initiates it
(meaning outbound traffic from the inside interface). So therefore any
traffic from the Internet (outside intf) coming in would work with NAT
only after some traffic created the translation to begin with.

Also with NAT, you don't have a forced 1:1 relationship from local and
global addresses, so it's difficult to determine what machine on the
inside get assigned which IP on the outside, hence making ACL creation
almost impossible. Statics make life much easier.

Hope that helps!

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Dong Lin
Sent: Saturday, May 31, 2003 8:10 PM
To: ccielab@groupstudy.com
Subject: Re: PIX NAT??

The answer to your question is no.

nat and global is used to let traffic from high security interface to
low security interface.

You need to use static and acl to let traffic from the outside interface
to the inside interface (nat is performed by static command)

----- Original Message -----
From: "Michael Popovich" <michael625@cox.net>
To: <ccielab@groupstudy.com>
Sent: Saturday, May 31, 2003 4:19 AM
Subject: PIX NAT??

> Can you NAT from the Outside interface to the Inside interface?
>
> I have:
>
> nat (outside) 1 0.0.0.0 0.0.0.0
> global (inside) 1 interface
>
> This doesn't seem to work for me, now I am wondering if it is
> possible.
>
> MP

• Next message: Volkov, Dmitry (IDS Canada): "RE: PIX NAT??"
• Next in thread: Volkov, Dmitry (IDS Canada): "RE: PIX NAT??"
• Maybe reply: Volkov, Dmitry (IDS Canada): "RE: PIX NAT??"
• Maybe reply: Scott Morris: "RE: PIX NAT??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:50 GMT-3