[c-nsp] interesting problem with PIX, double NAT and

Aldo Valente aldo.valente at gmx.de
Mon Feb 28 06:16:28 EST 2005 

> > We have an setup with another Net which uses partially the  
> > same IP Adresses.
> > 
> > Should be no problem:
> > 
> > nat (inside) 1 0 0 
> > global (outside) 1 our.outside.ip
> > nat (outside) 2 0 0 outside
> > global (inside) 2 our.inside.ip
> 
> This is a bit blurry, could you be more specific? :)

The same IP Adresses exists both in our net and the net behind
our pix.  It's RFC address space, so this shouldn't be unusual.  
If you get confused about the 0.0.0.0/0, we can have a more specific
Example.  The Problems stays the same.

e.g.  

 Ours (10.0.0.0/8)  -- Pix -- Theirs (10.0.0.0/8)

our.inside.ip is one of our Nets, perhaps 10.0.0.1/24, designated for NAT.
And our.outside.ip was assigned (and routed) to us as our net from their
Net, for example 10.0.2.3/24. 

For a packet from inside Host 10.1.2.3.4 to reach outside host 10.6.6.6,
you`ll need a 
static (outside, inside) 10.0.0.2 10.6.6.6 netmask 255.255.255.255

Pointing the inner host to http://10.0.0.2 and on the outside interface 
the packet will leave the pix as (s:10.0.2.3, d:10.6.6.6) with the 
above nat and global statements.  Same for connections coming from 
outside with a static (inside, outside) foo bar.

> > route inside  0          0         inner.router
> > and 
> > route outside 0          128.0.0.0 outer.router
> > route outside 128.0.0.0  128.0.0.0 outer.router
> > Guess what, it doesn't work.  The Pix takes the more 
> > specific route.

> Thats normal behaviour I would say. That's why it is more specific :)

Not in this setup.  Since the same Net exists behind both interfaces,
you have to route the exact same net on both interfaces.  Cisco Docs
say that you cannot have an identical entry for both interfaces and
suggests to split it in 2 nets, which i've done.  And the nat and 
global commands both works fine.

And furthermore, if i have to program the routing table lookup, 
i just purge all routing entries sitting on the same interface like
the incoming packet, since the pix wouldn't route the packet over the 
same interface back.  So it should be no problem in theory.  Practically
it is.

more clear now?


Aldo

-- 
DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen!
AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl

More information about the cisco-nsp mailing list