PIX access-lists and static NAT


I would like to secure an inbound access-list on a PIX 525 running software version 8.

Hosts on the outside will connect to 3 servers on the inside for WWW.

This will involve an explicit access rule and NAT.

The servers are named and grouped:

name SERVER1 name SERVER2 name SERVER3

object-group network SERVERS network-object host SERVER1 network-object host SERVER2 network-object host SERVER3

Static NAT is used to map the outside 10.x.x.x addresses to 192.x.x.x. on the inside:

static (inside,outside) SERVER1 netmask static (inside,outside) SERVER2 netmask static (inside,outside) SERVER3 netmask

I have then created an access-list to permit access to the SERVERS network-group:

access-list outside_access_in extended permit tcp any object-group SERVERS eq http

For some reason when external users connect to the outside 10.x.x.x they are not permitted. I'm guessing this because the access-list mentions the INSIDE names - not the OUTSIDE NAT addresses. I suppose my question is what order is the traffic processed? NAT or access- list?

Should my network group really contain the OUTSIDE NAT addresses of the servers?

Many thanks,


Reply to
Loading thread data ...

The access-group is processed before the NAT , so yes your network group should contain the translated addresses.

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.