[c-nsp] NAT/ACL options in a PIX

Vinny Abello vinny at tellurian.com
Wed Aug 27 10:49:19 EDT 2008


> -----Original Message-----
> From: John Ramz [mailto:sforcejr at yahoo.com]
> Sent: Wednesday, August 27, 2008 8:20 AM
> To: Vinny Abello; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] NAT/ACL options in a PIX
>
>
>
> Vinny,
>
>
> #thanks for the reply. So, host 5.6.7.8 wants to access that internal
> #host. would the access list to complete it look like this:?
>
> access-list ACL_NAME permit TCP host 5.6.7.8 host 10.10.10.110 eq 8081

You would be specifying the destination address as the outside address BEFORE the translation takes place. So in your example if a trusted host of 5.6.7.8 wants to access the server 10.10.10.11 on port 8081, and you have a static entry of:

static (inside,outside) tcp 1.2.3.4 8080 10.10.10.11 8081 netmask 255.255.255.255 0 0

you would need to make the access-list entry reference the outside IP address and port number:

access-list ACL_NAME permit tcp host 5.6.7.8 host 1.2.3.4 eq 8081

This would hit the outside access-list, permit the traffic, then translate it to 10.10.10.11 on port 8080 afterwards.

> #Now if I get another request a to access different host
> (10.10.10.111). #could I reuse the same ip address (1.2.3.4) and do
> this:?

If you're using PAT, yes, as long as the same port on the outside isn't used. In other words, you can't use TCP 8080 on 1.2.3.4 because it's already translated to 10.10.10.11 on port 8081.

> static (inside,outside) tcp 1.2.3.4 8080 10.10.10.111 8081 netmask
> 255.255.255.255 0 0

This would conflict. If you want to utilize the same port, you'd need a new outside address. Otherwise you could use a new port and put:

static (inside,outside) tcp 1.2.3.4 8081 10.10.10.11 8081 netmask 255.255.255.255 0 0

> access-list ACL_NAME permit TCP host 9.10.11.12 host 10.10.10.111 eq
> 8081

This again would be the outside address as the destination:

access-list ACL_NAME permit tcp host 9.10.11.12 host 1.2.3.4 eq 8081

>
>
> ONE MORE QUESTION,.....
> Since I am doing NAT 1 to 1 , I already allowed 1 external host to
> access an internal host(10.10.10.110) on port 8080

Correct. All inbound traffic will be translated to the internal address. In turn, you are also mapping all outbound traffic from the internal address to the external address when originating traffic.

> How can I allow another external hosts(different IP address) to access
> the same internal host (10.10.10.110) on port 8080?

Just add it to the access-list to allow it. With the 1 to 1 NAT, just consider "outside address = inside address". You need to allow traffic to it based on the interface the traffic hits. If the traffic is hitting the outside interface, you must utilize the outside address as the destination. If you in turn have an inside access-list and are limiting traffic leaving that network, you'd be utilizing the internal addresses as the source addresses.

>
> Hopefullly you can understand this last question
>
> Thanks
>
>
>
>
> --- On Tue, 8/26/08, Vinny Abello <vinny at tellurian.com> wrote:
>
> > From: Vinny Abello <vinny at tellurian.com>
> > Subject: RE: [c-nsp] NAT/ACL options  in a PIX
> > To: "sforcejr at yahoo.com" <sforcejr at yahoo.com>, "cisco-
> nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> > Date: Tuesday, August 26, 2008, 10:23 PM
> > Correct, you are doing NAT as a straight 1 to 1 translation
> > for traffic. Using PAT, you can specify either TCP or UDP
> > traffic and the outside and inside port numbers. This is
> > still accomplished with the static statement. You'll
> > still need the access-list entry as well unless you have
> > another rule already covering it.
> >
> > I'm confused though... If you need a different external
> > host to access an internal server, why can't use reuse
> > the same outside address in the translation? The PIX does
> > extended translation automatically. Just add it to the
> > access-list, or did I misunderstand?
> >
> > If you are doing this on a different port and want to map
> > various ports on one external IP to different internal hosts
> > or ports, you can do this as well with the static statement:
> >
> > static (inside,outside) tcp 1.2.3.4 8080 10.10.10.110 8081
> > netmask 255.255.255.255 0 0
> >
> > This maps traffic that matches TCP port 8080 hitting the
> > outside address of 1.2.3.4 to port 8081 on internal IP
> > 10.10.10.110.
> >
> > I wasn't quite clear with your alphanumeric examples,
> > but I hope this helps. I believe you truly just want to keep
> > adding more entries to your access-list. Once you have a
> > translation be it NAT or PAT defined, the access control is
> > done through the access-list at that point.
> >
> > -Vinny
> >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-
> > > bounces at puck.nether.net] On Behalf Of John Ramz
> > > Sent: Tuesday, August 26, 2008 10:32 PM
> > > To: cisco-nsp at puck.nether.net
> > > Subject: [c-nsp] NAT/ACL options in a PIX
> > >
> > > --CORRECTION---
> > >
> > > As a part of my 2nd question I made a mistake on the
> > internal host IP.
> > > This is the correction:
> > >
> > > I need to allow P.P.P.3 to access the same internal
> > host
> > > (10.10.10.110). I tried to assigned a different Public
> > ip
> > > address(Q.Q.Q.11)...........
> > >
> > >
> > > Thanks
> > >
> > >
> > >
> > > --- On Tue, 8/26/08, John Ramz
> > <sforcejr at yahoo.com> wrote:
> > >
> > > > From: John Ramz <sforcejr at yahoo.com>
> > > > Subject: NAT/ACL options  in a PIX
> > > > To: cisco-nsp at puck.nether.net
> > > > Date: Tuesday, August 26, 2008, 9:21 PM
> > > > Version 6.3.5
> > > > PIX 515
> > > >
> > > > We have been assigned 25 Public IP addresses by
> > our ISP and
> > > > I want to administer them in the most efficient
> > way.
> > > >
> > > > We get a lot of requests for external access to
> > different
> > > > hosts in our private network. For example:
> > > >
> > > > Public trusted IP address requesting access:
> > P.P.P.2
> > > > Public IP address assigned by ISP: Q.Q.Q.10
> > > > Internal host IP: 10.10.10.111
> > > > port 80 or 8080 (http://10.10.10.111/site:8080
> > > >
> > > > So far every time we get a request we do this:
> > > >
> > > > static (inside,outside) Q.Q.Q.10 10.10.10.111
> > netmask
> > > > 255.255.255.255 0 0
> > > > access-list ACL_NAME permit tcp host P.P.P.2 host
> > Q.Q.Q.10
> > > > eq 8080
> > > >
> > > > QUESTION
> > > > 1- Is it possible to do what I believe is called
> > PAT and
> > > > reuse the same public ip address(Q.Q.Q.10) when I
> > get a
> > > > second request to access a DIFFERENT
> > host(10.10.10.112) and
> > > > redirect them to port 8081 for example? If
> > possible, how?
> > > >
> > > >
> > > >
> > > > Today I got a request to allow access to an
> > internal
> > > > host(10.10.10.110) that I have already mapped
> > with this
> > > > public IP: Q.Q.Q.9 . The source ip address is:
> > P.P.P.3 .
> > > > These are the statements already in the PIX:
> > > >
> > > > static (inside,outside) Q.Q.Q.9 10.10.10.110
> > netmask
> > > > 255.255.255.255 0 0
> > > > access-list ACL_NAME permit tcp host P.P.P.1 host
> > Q.Q.Q.9
> > > > eq 8080
> > > >
> > > > I need to allow P.P.P.3 to access the same
> > internal host
> > > > (Q.Q.Q.9). I tried to assigned a different Public
> > ip
> > > > address(Q.Q.Q.11) but I got this message:
> > > >
> > > > ERROR: duplicate of existing static
> > > >
> > > > QUESTION
> > > > 2- Is there anyway to allow 2 IP addresses to
> > access the
> > > > same host on the same port-it could be
> > different-?
> > > >
> > > > I appreciate any help since I am a beginner on
> > this subject
> > > >
> > > >
> > > > Thanks
> > > >
> > > > John
> > >
> > >
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>



More information about the cisco-nsp mailing list