[c-nsp] NAT/ACL options in a PIX
John Ramz
sforcejr at yahoo.com
Wed Aug 27 11:04:23 EDT 2008
Vinny,
Thank you very much . It makes sense to me. I appreciate you sharing your time and knowledge
John
--- On Wed, 8/27/08, Vinny Abello <vinny at tellurian.com> wrote:
> From: Vinny Abello <vinny at tellurian.com>
> Subject: RE: [c-nsp] NAT/ACL options in a PIX
> To: "sforcejr at yahoo.com" <sforcejr at yahoo.com>, "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Date: Wednesday, August 27, 2008, 9:49 AM
> > -----Original Message-----
> > From: John Ramz [mailto:sforcejr at yahoo.com]
> > Sent: Wednesday, August 27, 2008 8:20 AM
> > To: Vinny Abello; cisco-nsp at puck.nether.net
> > Subject: RE: [c-nsp] NAT/ACL options in a PIX
> >
> >
> >
> > Vinny,
> >
> >
> > #thanks for the reply. So, host 5.6.7.8 wants to
> access that internal
> > #host. would the access list to complete it look like
> this:?
> >
> > access-list ACL_NAME permit TCP host 5.6.7.8 host
> 10.10.10.110 eq 8081
>
> You would be specifying the destination address as the
> outside address BEFORE the translation takes place. So in
> your example if a trusted host of 5.6.7.8 wants to access
> the server 10.10.10.11 on port 8081, and you have a static
> entry of:
>
> static (inside,outside) tcp 1.2.3.4 8080 10.10.10.11 8081
> netmask 255.255.255.255 0 0
>
> you would need to make the access-list entry reference the
> outside IP address and port number:
>
> access-list ACL_NAME permit tcp host 5.6.7.8 host 1.2.3.4
> eq 8081
>
> This would hit the outside access-list, permit the traffic,
> then translate it to 10.10.10.11 on port 8080 afterwards.
>
> > #Now if I get another request a to access different
> host
> > (10.10.10.111). #could I reuse the same ip address
> (1.2.3.4) and do
> > this:?
>
> If you're using PAT, yes, as long as the same port on
> the outside isn't used. In other words, you can't
> use TCP 8080 on 1.2.3.4 because it's already translated
> to 10.10.10.11 on port 8081.
>
> > static (inside,outside) tcp 1.2.3.4 8080 10.10.10.111
> 8081 netmask
> > 255.255.255.255 0 0
>
> This would conflict. If you want to utilize the same port,
> you'd need a new outside address. Otherwise you could
> use a new port and put:
>
> static (inside,outside) tcp 1.2.3.4 8081 10.10.10.11 8081
> netmask 255.255.255.255 0 0
>
> > access-list ACL_NAME permit TCP host 9.10.11.12 host
> 10.10.10.111 eq
> > 8081
>
> This again would be the outside address as the destination:
>
> access-list ACL_NAME permit tcp host 9.10.11.12 host
> 1.2.3.4 eq 8081
>
> >
> >
> > ONE MORE QUESTION,.....
> > Since I am doing NAT 1 to 1 , I already allowed 1
> external host to
> > access an internal host(10.10.10.110) on port 8080
>
> Correct. All inbound traffic will be translated to the
> internal address. In turn, you are also mapping all outbound
> traffic from the internal address to the external address
> when originating traffic.
>
> > How can I allow another external hosts(different IP
> address) to access
> > the same internal host (10.10.10.110) on port 8080?
>
> Just add it to the access-list to allow it. With the 1 to 1
> NAT, just consider "outside address = inside
> address". You need to allow traffic to it based on the
> interface the traffic hits. If the traffic is hitting the
> outside interface, you must utilize the outside address as
> the destination. If you in turn have an inside access-list
> and are limiting traffic leaving that network, you'd be
> utilizing the internal addresses as the source addresses.
>
> >
> > Hopefullly you can understand this last question
> >
> > Thanks
> >
> >
> >
> >
> > --- On Tue, 8/26/08, Vinny Abello
> <vinny at tellurian.com> wrote:
> >
> > > From: Vinny Abello <vinny at tellurian.com>
> > > Subject: RE: [c-nsp] NAT/ACL options in a PIX
> > > To: "sforcejr at yahoo.com"
> <sforcejr at yahoo.com>, "cisco-
> > nsp at puck.nether.net"
> <cisco-nsp at puck.nether.net>
> > > Date: Tuesday, August 26, 2008, 10:23 PM
> > > Correct, you are doing NAT as a straight 1 to 1
> translation
> > > for traffic. Using PAT, you can specify either
> TCP or UDP
> > > traffic and the outside and inside port numbers.
> This is
> > > still accomplished with the static statement.
> You'll
> > > still need the access-list entry as well unless
> you have
> > > another rule already covering it.
> > >
> > > I'm confused though... If you need a
> different external
> > > host to access an internal server, why can't
> use reuse
> > > the same outside address in the translation? The
> PIX does
> > > extended translation automatically. Just add it
> to the
> > > access-list, or did I misunderstand?
> > >
> > > If you are doing this on a different port and
> want to map
> > > various ports on one external IP to different
> internal hosts
> > > or ports, you can do this as well with the static
> statement:
> > >
> > > static (inside,outside) tcp 1.2.3.4 8080
> 10.10.10.110 8081
> > > netmask 255.255.255.255 0 0
> > >
> > > This maps traffic that matches TCP port 8080
> hitting the
> > > outside address of 1.2.3.4 to port 8081 on
> internal IP
> > > 10.10.10.110.
> > >
> > > I wasn't quite clear with your alphanumeric
> examples,
> > > but I hope this helps. I believe you truly just
> want to keep
> > > adding more entries to your access-list. Once you
> have a
> > > translation be it NAT or PAT defined, the access
> control is
> > > done through the access-list at that point.
> > >
> > > -Vinny
> > >
> > > > -----Original Message-----
> > > > From: cisco-nsp-bounces at puck.nether.net
> > > [mailto:cisco-nsp-
> > > > bounces at puck.nether.net] On Behalf Of John
> Ramz
> > > > Sent: Tuesday, August 26, 2008 10:32 PM
> > > > To: cisco-nsp at puck.nether.net
> > > > Subject: [c-nsp] NAT/ACL options in a PIX
> > > >
> > > > --CORRECTION---
> > > >
> > > > As a part of my 2nd question I made a
> mistake on the
> > > internal host IP.
> > > > This is the correction:
> > > >
> > > > I need to allow P.P.P.3 to access the same
> internal
> > > host
> > > > (10.10.10.110). I tried to assigned a
> different Public
> > > ip
> > > > address(Q.Q.Q.11)...........
> > > >
> > > >
> > > > Thanks
> > > >
> > > >
> > > >
> > > > --- On Tue, 8/26/08, John Ramz
> > > <sforcejr at yahoo.com> wrote:
> > > >
> > > > > From: John Ramz
> <sforcejr at yahoo.com>
> > > > > Subject: NAT/ACL options in a PIX
> > > > > To: cisco-nsp at puck.nether.net
> > > > > Date: Tuesday, August 26, 2008, 9:21 PM
> > > > > Version 6.3.5
> > > > > PIX 515
> > > > >
> > > > > We have been assigned 25 Public IP
> addresses by
> > > our ISP and
> > > > > I want to administer them in the most
> efficient
> > > way.
> > > > >
> > > > > We get a lot of requests for external
> access to
> > > different
> > > > > hosts in our private network. For
> example:
> > > > >
> > > > > Public trusted IP address requesting
> access:
> > > P.P.P.2
> > > > > Public IP address assigned by ISP:
> Q.Q.Q.10
> > > > > Internal host IP: 10.10.10.111
> > > > > port 80 or 8080
> (http://10.10.10.111/site:8080
> > > > >
> > > > > So far every time we get a request we
> do this:
> > > > >
> > > > > static (inside,outside) Q.Q.Q.10
> 10.10.10.111
> > > netmask
> > > > > 255.255.255.255 0 0
> > > > > access-list ACL_NAME permit tcp host
> P.P.P.2 host
> > > Q.Q.Q.10
> > > > > eq 8080
> > > > >
> > > > > QUESTION
> > > > > 1- Is it possible to do what I believe
> is called
> > > PAT and
> > > > > reuse the same public ip
> address(Q.Q.Q.10) when I
> > > get a
> > > > > second request to access a DIFFERENT
> > > host(10.10.10.112) and
> > > > > redirect them to port 8081 for example?
> If
> > > possible, how?
> > > > >
> > > > >
> > > > >
> > > > > Today I got a request to allow access
> to an
> > > internal
> > > > > host(10.10.10.110) that I have already
> mapped
> > > with this
> > > > > public IP: Q.Q.Q.9 . The source ip
> address is:
> > > P.P.P.3 .
> > > > > These are the statements already in the
> PIX:
> > > > >
> > > > > static (inside,outside) Q.Q.Q.9
> 10.10.10.110
> > > netmask
> > > > > 255.255.255.255 0 0
> > > > > access-list ACL_NAME permit tcp host
> P.P.P.1 host
> > > Q.Q.Q.9
> > > > > eq 8080
> > > > >
> > > > > I need to allow P.P.P.3 to access the
> same
> > > internal host
> > > > > (Q.Q.Q.9). I tried to assigned a
> different Public
> > > ip
> > > > > address(Q.Q.Q.11) but I got this
> message:
> > > > >
> > > > > ERROR: duplicate of existing static
> > > > >
> > > > > QUESTION
> > > > > 2- Is there anyway to allow 2 IP
> addresses to
> > > access the
> > > > > same host on the same port-it could be
> > > different-?
> > > > >
> > > > > I appreciate any help since I am a
> beginner on
> > > this subject
> > > > >
> > > > >
> > > > > Thanks
> > > > >
> > > > > John
> > > >
> > > >
> > > >
> > > >
> _______________________________________________
> > > > cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> > > >
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > archive at
> http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
More information about the cisco-nsp
mailing list