PIX 515E - Dynamic Policy NAT Rule

I need help understanding how to forward port ranges in my PIX 515e.
I have setup a Service Group for FTP.

object-group service Passive_FTP tcp
 description Passive FTP
 port-object eq ftp
 port-object range 30000 30100

Open in new window


I have allowed this in the ACL
access-list outside_access_in extended permit tcp any any object-group Passive_FTP 

Open in new window


My issue is properly adding it into the NAT Rules table.
I believe I need to add a Dynamic Policy NAT rule to the inside interface.  I've tried many approaches and none so far have been successful.

I'm looking for some quick assistance.  Thanks.
yewnixAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ernie BeekExpertCommented:
What version is the PIX? Dynamic policy NAT is supported on 6.3.2 an further.

I took the liberty of adding the topics: Network Routers and Networking Hardware Firewalls to your question to see if we can draw some more expert attention.
0
yewnixAuthor Commented:
Sorry, I should of put the versions in the original post.
PIX Version 8.0(4)
ASDM Version 6.0(3)

Thanks for adding this question to more topics.
0
Ernie BeekExpertCommented:
You're welcome :)

Let's see if I can help you a bit further myself. I assume you want to enable outside access to an inside FTP server. There should be no need for a policy NAT on the inside interface then. The easiest would be to set up a static from an additional public address to the inside ip of the FTP server and be done with it (if you have public ip's to spare that is).
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

yewnixAuthor Commented:
You are correct that I would like to enable outside access on interface "outside" to an internal IP on interface "business".

I have already done Static NAT rules for single port PAT rules and this works fine.  I did also test a full 1-to-1 static NAT by burning one of my IP addresses and this works as well.  However,  I really would like to learn how to use Dynamic Policy NAT rules in conjunction with Service Groups to NAT a range of ports to a designated internal IP address.

Please see 3 attached pics.
nat-rules.jpg
acl-rules.jpg
service-groups.jpg
0
Ernie BeekExpertCommented:
If I understand correct you would like to define a port range and use that instead of having to forward each port separately?

It can be done but you'll need 8.3 or beyond for that. Then you should be able to do that something like:

object network obj-1.2.3.4
   host 1.2.3.4

Public address

object network obj-192.168.1.1
   host 192.168.1.1

Private (FTP server) address

object-group service Passive_FTP tcp
 description Passive FTP
 port-object eq ftp
 port-object range 30000 30100

nat (inside,outside) source static obj-1.2.3.4 obj-192.168.1.1 service Passive_FTP Passive_FTP
0
yewnixAuthor Commented:
So you are saying my current version will not work properly for this?
Also I edited my statement above and added an additional photo.
0
Ernie BeekExpertCommented:
The thing is that with pre-8.3 you can't use a service object in the nat statement (or static that is). So you need to create a line for each port:

static (inside,outside) tcp 1.2.3.4 ftp 192.168.1.1 ftp netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 30000 192.168.1.1 30000 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 30001 192.168.1.1 30001 netmask 255.255.255.255


etc.
0
yewnixAuthor Commented:
So I'm using 8.0(4) which I would assume is just 8.0?
0
Ernie BeekExpertCommented:
Well, yes. Though of course there are some differences between the (sub) versions.
0
yewnixAuthor Commented:
Okay, I'm confused.  I went to the Cisco site and the latest IOS that is listed there is 8.0.4.28.  It doesn't look like there is a 8.3 version or higher.  I should be able to get the Dynamic Policy NAT to work on the version of code that I'm currently running.
0
Ernie BeekExpertCommented:
Yes, it looks like 8.0.4.28 is the final version supported on the PIX.

Let's back up a bit to see if I might misinterpret the meaning of Dynamic Policy NAT as you stated it.

-You have an FTP server you want to allow access to from the outside.
-You want to allow a number of ports as defined in the object Passive_FTP
-This object can be used in an ACL but can't be used in the static command (see: https://supportforums.cisco.com/docs/DOC-9129)

So where does the Dynamic Policy NAT fit in? Or better, what is your interpretation of Dynamic Policy NAT?
0
yewnixAuthor Commented:
Yes you are correct on all 3 statements above including that you can not use a Static NAT on a group service object.

It is of my understanding that you can use Dynamic Policy NAT to specify a Group Service object for NAT'ng the whole group to a specific internal IP.  This way one does not need to "burn" an IP by using a static 1 to 1 NAT rule.
0
Ernie BeekExpertCommented:
Ok, we're thinking along the same lines:)

But I'm afraid (to my knowledge) there is no way to do this (NATting the whole group at once) using dynamic policy NAT or any other way in <8.3 versions.
The only two ways are:
1) "burning" a public ip by using a static 1 to 1 NAT
2) Forwarding each port separately like said before:
static (inside,outside) tcp 1.2.3.4 ftp 192.168.1.1 ftp netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 30000 192.168.1.1 30000 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 30001 192.168.1.1 30001 netmask 255.255.255.255

so you don't burn a whole public address.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yewnixAuthor Commented:
I understand.  I believe there is a solution out there so I would like to keep this open.  I can not think that Cisco would not allow you in the PIX IOS to forward/nat a specific group or range of ports.

Entering in line by line is not something I would like to do
0
Ernie BeekExpertCommented:
Believe me, they did ;) Only from 8.3 that possibility was implemented.

I don't mind you keeping this open. Remember though that at a certain moment (21 days) the question times out and will become available for cleaning (so it will be force closed or deleted).
0
yewnixAuthor Commented:
They don't make a 8.3 for the PIX, maybe for the ASA.. but not the PIX.
0
Ernie BeekExpertCommented:
I know. The thing is that the PIX series is end of life and almost end of support (and end of anything).
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice0900aecd8073fa36.html

So though it's still working you can't make use of newly introduced options anymore :(
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.