Solved

Basic NO NAT setups and concepts on a PIX.

Posted on 2006-06-20
5
441 Views
Last Modified: 2013-11-16
I'm going to use an example from a book that I'm having trouble understanding because if someone can explain this example to me, I think I'll have a grasp on what I need to know.

This is a PIX with three interfaces.

192.168.1.0/24 is attached to the outside interface.
192.168.5.0/24 is attached to the DMZ interface.
192.168.2-4.0/24 are all behind the inside interface.

The snippet of the configuration provided is this:

pixfirewall(config)# global (outside) 1 200.200.200.10-200.200.200.253 netmask 255.255.255.0
pixfirewall(config)# nat (inside) 1 0 0
pixfirewall(config)# nat (dmz) 1 0 0
pixfirewall(config)# static (dmz, outside) 200.200.200.1 192.168.5.5
pixfirewall(config)# static (dmz, outside) 200.200.200.2 192.168.5.6
pixfirewall(config)# static (inside, dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
pixfirewall(config)# access-list NO_NAT permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
pixfirewall(config)# access-list NO_NAT permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
pixfirewall(config)# access-list NO_NAT permit ip 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255.0
pixfirewall(config)# nat (inside) 0 access-list NO_NAT

Now, I understand all of this config and most other configs, but for some reason I've just never gotten how no nat works exactly.  I'd like to understand it well.

The book says "If a device from the inside interface tries to access a device on the dmz interface, it will not have its address translated -- this is based on the very last static command in the configuration." Fine and dandy.  So, the static entry in question keeps things going from the inside -> dmz from being translated.  What does the NO_NAT ACL do?  

Originally, I thought it was some kind of similar thing, but in reverse.  (i.e., telling things going out from the DMZ to not try and NAT to the addresses in question (the 192.168.2-4.0/24 networks), but that makes no sense because it's applied to the inside interface.  Is that ACL applied with the "nat (inside)" statement just a redundancy of the static statement?

Also, what are the security implications of disabling NAT?  Do the security level implications still apply (i.e., things from on the security100 inside can still reach things on the security50 DMZ interface but not vice-versa (assuming that there is no other ACL involvement), or does disabling NAT remove that difference in security level?

Someone please help me.  I feel like I'm frustrated enough and asking such a hugely broad question that I'm going to go ahead and assign a high point value to hopefully make it worth someone's while.

Thanks very much.
0
Comment
Question by:titan6400
  • 2
5 Comments
 
LVL 11

Expert Comment

by:prueconsulting
ID: 16948302
Basically in a nut shell .

When nat is applied when a packet travels from one interface out another it will appear that the source address is coming from the address which it is exiting on

Ie DMZ 192.168.1.1
inside 192.168.2.1
outside 192.168.3.1

If a packet travels from inside to out it will appear to be coming from 192.168.3.1

Now if yuo apply a no nat statment anything that is hit by this no nat acl will not be natted and its src address will be where the packet initiates from originally. This is mostly utilized in VPN tunnels to push a packet as interesting traffic across the tunnel.

Now the static translations..

based on the above static if a packet coming from a src of 192.168.5.0/24 attempts to hit a host in the DMZ the address is actually "translated" but in reality keeps the same address since the static translation is the same . But if a host say from 192.168.2.1 was to hit the DMZ it would appear to have come from 192.168.1.1 since it doesn't match the translation.

Did this make sense?
0
 

Author Comment

by:titan6400
ID: 16948586
I get that the NO_NAT access-list or generally using a "nat (interface) 0 <address>" command means that the "from" header in an applicable packet won't get rewritten as having come from an address in the global pool -- it just stays the same.

What is the use of the "pixfirewall(config)# static (inside, dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0" in the example above?
0
 
LVL 11

Accepted Solution

by:
prueconsulting earned 500 total points
ID: 16951029
In that example its used to basically create a translation that keeps the from field the same because as packets traverse the interfaces they will undergo a translation.

So for example

lets use this


Exchange Server on LAN with an address of 192.168.5.245 connecting to a DMZ mail server with an address of 192.168.1.245

DMZ interface is 192.168.1.1

When the exchange server connects to the DMZ host the DMZ host will see the packet as coming from 5.245 due to the static translation.

But if a workstation say on anothe subnet was to connect to the DMZ host the mail server would see its ip as the DMZ interface ip address.

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now