Solved

PIX 515E - Dynamic Policy NAT Rule

Posted on 2012-04-04
17
1,088 Views
Last Modified: 2012-06-21
I need help understanding how to forward port ranges in my PIX 515e.
I have setup a Service Group for FTP.

object-group service Passive_FTP tcp
 description Passive FTP
 port-object eq ftp
 port-object range 30000 30100

Open in new window


I have allowed this in the ACL
access-list outside_access_in extended permit tcp any any object-group Passive_FTP 

Open in new window


My issue is properly adding it into the NAT Rules table.
I believe I need to add a Dynamic Policy NAT rule to the inside interface.  I've tried many approaches and none so far have been successful.

I'm looking for some quick assistance.  Thanks.
0
Comment
Question by:yewnix
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
17 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37809869
What version is the PIX? Dynamic policy NAT is supported on 6.3.2 an further.

I took the liberty of adding the topics: Network Routers and Networking Hardware Firewalls to your question to see if we can draw some more expert attention.
0
 

Author Comment

by:yewnix
ID: 37810240
Sorry, I should of put the versions in the original post.
PIX Version 8.0(4)
ASDM Version 6.0(3)

Thanks for adding this question to more topics.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37810355
You're welcome :)

Let's see if I can help you a bit further myself. I assume you want to enable outside access to an inside FTP server. There should be no need for a policy NAT on the inside interface then. The easiest would be to set up a static from an additional public address to the inside ip of the FTP server and be done with it (if you have public ip's to spare that is).
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:yewnix
ID: 37810389
You are correct that I would like to enable outside access on interface "outside" to an internal IP on interface "business".

I have already done Static NAT rules for single port PAT rules and this works fine.  I did also test a full 1-to-1 static NAT by burning one of my IP addresses and this works as well.  However,  I really would like to learn how to use Dynamic Policy NAT rules in conjunction with Service Groups to NAT a range of ports to a designated internal IP address.

Please see 3 attached pics.
nat-rules.jpg
acl-rules.jpg
service-groups.jpg
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37810441
If I understand correct you would like to define a port range and use that instead of having to forward each port separately?

It can be done but you'll need 8.3 or beyond for that. Then you should be able to do that something like:

object network obj-1.2.3.4
   host 1.2.3.4

Public address

object network obj-192.168.1.1
   host 192.168.1.1

Private (FTP server) address

object-group service Passive_FTP tcp
 description Passive FTP
 port-object eq ftp
 port-object range 30000 30100

nat (inside,outside) source static obj-1.2.3.4 obj-192.168.1.1 service Passive_FTP Passive_FTP
0
 

Author Comment

by:yewnix
ID: 37810451
So you are saying my current version will not work properly for this?
Also I edited my statement above and added an additional photo.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37810487
The thing is that with pre-8.3 you can't use a service object in the nat statement (or static that is). So you need to create a line for each port:

static (inside,outside) tcp 1.2.3.4 ftp 192.168.1.1 ftp netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 30000 192.168.1.1 30000 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 30001 192.168.1.1 30001 netmask 255.255.255.255


etc.
0
 

Author Comment

by:yewnix
ID: 37810656
So I'm using 8.0(4) which I would assume is just 8.0?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37810661
Well, yes. Though of course there are some differences between the (sub) versions.
0
 

Author Comment

by:yewnix
ID: 37810789
Okay, I'm confused.  I went to the Cisco site and the latest IOS that is listed there is 8.0.4.28.  It doesn't look like there is a 8.3 version or higher.  I should be able to get the Dynamic Policy NAT to work on the version of code that I'm currently running.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37811117
Yes, it looks like 8.0.4.28 is the final version supported on the PIX.

Let's back up a bit to see if I might misinterpret the meaning of Dynamic Policy NAT as you stated it.

-You have an FTP server you want to allow access to from the outside.
-You want to allow a number of ports as defined in the object Passive_FTP
-This object can be used in an ACL but can't be used in the static command (see: https://supportforums.cisco.com/docs/DOC-9129)

So where does the Dynamic Policy NAT fit in? Or better, what is your interpretation of Dynamic Policy NAT?
0
 

Author Comment

by:yewnix
ID: 37811326
Yes you are correct on all 3 statements above including that you can not use a Static NAT on a group service object.

It is of my understanding that you can use Dynamic Policy NAT to specify a Group Service object for NAT'ng the whole group to a specific internal IP.  This way one does not need to "burn" an IP by using a static 1 to 1 NAT rule.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37811519
Ok, we're thinking along the same lines:)

But I'm afraid (to my knowledge) there is no way to do this (NATting the whole group at once) using dynamic policy NAT or any other way in <8.3 versions.
The only two ways are:
1) "burning" a public ip by using a static 1 to 1 NAT
2) Forwarding each port separately like said before:
static (inside,outside) tcp 1.2.3.4 ftp 192.168.1.1 ftp netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 30000 192.168.1.1 30000 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 30001 192.168.1.1 30001 netmask 255.255.255.255

so you don't burn a whole public address.
0
 

Author Comment

by:yewnix
ID: 37811544
I understand.  I believe there is a solution out there so I would like to keep this open.  I can not think that Cisco would not allow you in the PIX IOS to forward/nat a specific group or range of ports.

Entering in line by line is not something I would like to do
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37811572
Believe me, they did ;) Only from 8.3 that possibility was implemented.

I don't mind you keeping this open. Remember though that at a certain moment (21 days) the question times out and will become available for cleaning (so it will be force closed or deleted).
0
 

Author Comment

by:yewnix
ID: 37811581
They don't make a 8.3 for the PIX, maybe for the ASA.. but not the PIX.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37811591
I know. The thing is that the PIX series is end of life and almost end of support (and end of anything).
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice0900aecd8073fa36.html

So though it's still working you can't make use of newly introduced options anymore :(
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question