Solved

PIX 515E - Dynamic Policy NAT Rule

Posted on 2012-04-04
17
1,081 Views
Last Modified: 2012-06-21
I need help understanding how to forward port ranges in my PIX 515e.
I have setup a Service Group for FTP.

object-group service Passive_FTP tcp
 description Passive FTP
 port-object eq ftp
 port-object range 30000 30100

Open in new window


I have allowed this in the ACL
access-list outside_access_in extended permit tcp any any object-group Passive_FTP 

Open in new window


My issue is properly adding it into the NAT Rules table.
I believe I need to add a Dynamic Policy NAT rule to the inside interface.  I've tried many approaches and none so far have been successful.

I'm looking for some quick assistance.  Thanks.
0
Comment
Question by:yewnix
  • 9
  • 8
17 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37809869
What version is the PIX? Dynamic policy NAT is supported on 6.3.2 an further.

I took the liberty of adding the topics: Network Routers and Networking Hardware Firewalls to your question to see if we can draw some more expert attention.
0
 

Author Comment

by:yewnix
ID: 37810240
Sorry, I should of put the versions in the original post.
PIX Version 8.0(4)
ASDM Version 6.0(3)

Thanks for adding this question to more topics.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37810355
You're welcome :)

Let's see if I can help you a bit further myself. I assume you want to enable outside access to an inside FTP server. There should be no need for a policy NAT on the inside interface then. The easiest would be to set up a static from an additional public address to the inside ip of the FTP server and be done with it (if you have public ip's to spare that is).
0
 

Author Comment

by:yewnix
ID: 37810389
You are correct that I would like to enable outside access on interface "outside" to an internal IP on interface "business".

I have already done Static NAT rules for single port PAT rules and this works fine.  I did also test a full 1-to-1 static NAT by burning one of my IP addresses and this works as well.  However,  I really would like to learn how to use Dynamic Policy NAT rules in conjunction with Service Groups to NAT a range of ports to a designated internal IP address.

Please see 3 attached pics.
nat-rules.jpg
acl-rules.jpg
service-groups.jpg
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37810441
If I understand correct you would like to define a port range and use that instead of having to forward each port separately?

It can be done but you'll need 8.3 or beyond for that. Then you should be able to do that something like:

object network obj-1.2.3.4
   host 1.2.3.4

Public address

object network obj-192.168.1.1
   host 192.168.1.1

Private (FTP server) address

object-group service Passive_FTP tcp
 description Passive FTP
 port-object eq ftp
 port-object range 30000 30100

nat (inside,outside) source static obj-1.2.3.4 obj-192.168.1.1 service Passive_FTP Passive_FTP
0
 

Author Comment

by:yewnix
ID: 37810451
So you are saying my current version will not work properly for this?
Also I edited my statement above and added an additional photo.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37810487
The thing is that with pre-8.3 you can't use a service object in the nat statement (or static that is). So you need to create a line for each port:

static (inside,outside) tcp 1.2.3.4 ftp 192.168.1.1 ftp netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 30000 192.168.1.1 30000 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 30001 192.168.1.1 30001 netmask 255.255.255.255


etc.
0
 

Author Comment

by:yewnix
ID: 37810656
So I'm using 8.0(4) which I would assume is just 8.0?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37810661
Well, yes. Though of course there are some differences between the (sub) versions.
0
 

Author Comment

by:yewnix
ID: 37810789
Okay, I'm confused.  I went to the Cisco site and the latest IOS that is listed there is 8.0.4.28.  It doesn't look like there is a 8.3 version or higher.  I should be able to get the Dynamic Policy NAT to work on the version of code that I'm currently running.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37811117
Yes, it looks like 8.0.4.28 is the final version supported on the PIX.

Let's back up a bit to see if I might misinterpret the meaning of Dynamic Policy NAT as you stated it.

-You have an FTP server you want to allow access to from the outside.
-You want to allow a number of ports as defined in the object Passive_FTP
-This object can be used in an ACL but can't be used in the static command (see: https://supportforums.cisco.com/docs/DOC-9129)

So where does the Dynamic Policy NAT fit in? Or better, what is your interpretation of Dynamic Policy NAT?
0
 

Author Comment

by:yewnix
ID: 37811326
Yes you are correct on all 3 statements above including that you can not use a Static NAT on a group service object.

It is of my understanding that you can use Dynamic Policy NAT to specify a Group Service object for NAT'ng the whole group to a specific internal IP.  This way one does not need to "burn" an IP by using a static 1 to 1 NAT rule.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37811519
Ok, we're thinking along the same lines:)

But I'm afraid (to my knowledge) there is no way to do this (NATting the whole group at once) using dynamic policy NAT or any other way in <8.3 versions.
The only two ways are:
1) "burning" a public ip by using a static 1 to 1 NAT
2) Forwarding each port separately like said before:
static (inside,outside) tcp 1.2.3.4 ftp 192.168.1.1 ftp netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 30000 192.168.1.1 30000 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 30001 192.168.1.1 30001 netmask 255.255.255.255

so you don't burn a whole public address.
0
 

Author Comment

by:yewnix
ID: 37811544
I understand.  I believe there is a solution out there so I would like to keep this open.  I can not think that Cisco would not allow you in the PIX IOS to forward/nat a specific group or range of ports.

Entering in line by line is not something I would like to do
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37811572
Believe me, they did ;) Only from 8.3 that possibility was implemented.

I don't mind you keeping this open. Remember though that at a certain moment (21 days) the question times out and will become available for cleaning (so it will be force closed or deleted).
0
 

Author Comment

by:yewnix
ID: 37811581
They don't make a 8.3 for the PIX, maybe for the ASA.. but not the PIX.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37811591
I know. The thing is that the PIX series is end of life and almost end of support (and end of anything).
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice0900aecd8073fa36.html

So though it's still working you can't make use of newly introduced options anymore :(
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now