Overiding Nat statement in PIX

- S
- simon watson
  
  Contact options for registered users
posted
17 years ago

Mon, Jul 17, 2006 5:00 PM

Hi All

I've had a request to perform a port redirect from a NAT address on a PIX (i.e a public address on the outside interface (i.e 86.1.1.1 tcp port 6000) gets translated to an inside address and a recognisable port (i.e 10.1.1.1 port 23).

The NAT side already happens on the internet router, however to do the port redirect bit, I will have to configure the PIX.

The problem is the previous administration had configured the pix not to translate any addresses from the inside(the internet router translates all inside addresses)

static (inside,outside) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

Therefore when I try to do the redirect, I get the error message that it will overlap the statments above.

Is there any way I can perform the redirect, and keep the above statements or do I have to modify the above static & nat statement to get it to work

Many Thanks in advance

Simon

- P
- pcmccollum
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Mon, Jul 17, 2006 9:04 PM

Hi Simon,

According to

formatting link

looks as if you will have to recreate the nat 0 statement to be a bit more granular. It takes precedence over all other NAT statements, so that is why your static NAT will not work in the current configuration.

Can someone else confirm this?

Thanks, Phillip

sim> Hi All

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Tue, Jul 18, 2006 4:11 AM

Not quite. "nat 0 access-list" has the highest priority (#1), then static NAT (no ports) (#2), then static PAT (with ports) (#3), then policy NAT (nat ID access-list) and policy static (static access-list) (#4), then "regular nat" (which *includes* nat 0 that has no access-list) is lowest priority (#5).

There is no simple way on PIX 6 to say "do static port translation of all ports that haven't already been translated" -- you cannot, for example say,

static (inside,outside) tcp 10.11.12.13 80 10.11.149.85 80 netmask

255.255.255.255 static (inside,outside) tcp 10.11.0.0 * 10.11.0.0 * netmask 255.255.0.0

Therefore, the solution to the original poster's problem is to use policy static

access-list PortRedirect_acl permit tcp host 10.11.149.85 eq www any access-list StraightThru_acl permit ip 10.11.0.0 255.255.0.0 any static (inside,outside) tcp 10.11.12.13 access-list PortRedirect_acl static (inside,outside) 10.11.0.0 access-list StraightThru_acl

The netmask is important in StraightThru_acl: it is essentially borrowed to use in place of the regular "netmask 255.255.0.0" clause that you would otherwise use.