From: Michael Popovich (michael625@cox.net)
Date: Sun Jun 01 2003 - 13:31:44 GMT-3
Even though my original configuration below didn't show it I did use the "outside" command on the dynamic nat that I tried.
I haven't had a chance to try some of the suggestions that Scott made regarding static translations although by the documentation that I have seen that should work.
The reason for me attempting this has passed. It as a emergency fix and I was trying to do something that would allow me to keep a server's default gateway pointing to a malfunctioning checkpoint firewall but still allow enterprise and Internet users to hit this server on a DMZ. My thoughts were to use dynamic NAT both ways so that the communication from the clients would appear local to the server. I could do that for Enterprise users since we use the a common addressing scheme but the Internet clients need to be using NAT in both directions.
If I could accomplish this then I could leave the Checkpoints where they are at, the server's default-gateway still pointing to them and I then could use host level routing so I could test with a paticular client the Checkpoint issues I was having.
Now I am in it for curiosity sake. Haven't spent the time learning the NAT limits of PIX firewall. Now is as good a time as any.
MP
>
> From: Dong Lin <dlin22@comcast.net>
> Date: 2003/06/01 Sun AM 11:14:30 EDT
> To: ccielab@groupstudy.com
> Subject: Re: PIX NAT??
>
> You are right. This is a new feature in 6.2 for dynamic outside NAT. For
> static outside NAT, you still use static command.
>
> According to RN and config guide, it should add "outside" keyword at the end
> of nat command like:
>
> nat (outside) 1 0.0.0.0 0.0.0.0 outside
> global (inside) 1 interface
>
> Could this be the problem ?
>
> ----- Original Message -----
> From: "Scott Morris" <swm@emanon.com>
> To: "'Dong Lin'" <dlin22@comcast.net>; <ccielab@groupstudy.com>
> Sent: Saturday, May 31, 2003 9:55 PM
> Subject: RE: PIX NAT??
>
>
> > Incorrect. You can translate outside source addresses as well. In 6.2
> > and later, there is an 'outside' parameter that is added to the NAT line
> > (or static line) in order for you to "tell" the NAT code that you want
> > to translate outside (aka foreign) source address to something as an
> > inside local. (Previous to 6.2, use the 'alias' command)
> >
> > Now, the concept you have below really isn't feasible, but I'm not
> > entirely sure that it isn't possible! The difficulty with doing it, is
> > that by translating the outside world's addresses to the PIX interface
> > address, you are going to DEFINITELY cut off any conversations starting
> > from your inside network going to the outside world, since there would
> > be no xlate or state.
> >
> > So, I guess what I'm trying to say is that even if logically it would
> > work, that's a really ugly method of restricting things. Just use an
> > ACL on your inside interface to limit outbound stuff!
> >
> > However, NORMAL NAT logic is exactly as Dong Lin described, which is
> > translating the inside source address from a higher to lower interface,
> > and the reason that most say to use static and acl/conduit has to do
> > with the order of things. A connection is not possible at all if a
> > translation doesn't already exist. STATIC commands will pre-populate
> > the xlate table. NAT commands don't work until traffic initiates it
> > (meaning outbound traffic from the inside interface). So therefore any
> > traffic from the Internet (outside intf) coming in would work with NAT
> > only after some traffic created the translation to begin with.
> >
> > Also with NAT, you don't have a forced 1:1 relationship from local and
> > global addresses, so it's difficult to determine what machine on the
> > inside get assigned which IP on the outside, hence making ACL creation
> > almost impossible. Statics make life much easier.
> >
> > Hope that helps!
> >
> > Scott
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Dong Lin
> > Sent: Saturday, May 31, 2003 8:10 PM
> > To: ccielab@groupstudy.com
> > Subject: Re: PIX NAT??
> >
> >
> > The answer to your question is no.
> >
> > nat and global is used to let traffic from high security interface to
> > low security interface.
> >
> > You need to use static and acl to let traffic from the outside interface
> > to the inside interface (nat is performed by static command)
> >
> >
> > ----- Original Message -----
> > From: "Michael Popovich" <michael625@cox.net>
> > To: <ccielab@groupstudy.com>
> > Sent: Saturday, May 31, 2003 4:19 AM
> > Subject: PIX NAT??
> >
> >
> > > Can you NAT from the Outside interface to the Inside interface?
> > >
> > > I have:
> > >
> > > nat (outside) 1 0.0.0.0 0.0.0.0
> > > global (inside) 1 interface
> > >
> > > This doesn't seem to work for me, now I am wondering if it is
> > > possible.
> > >
> > > MP
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:51 GMT-3