Public static NAT vs. Access-List

Hello

I have a question what is the best practice static NAT and access list. Example:

Server (192.168.1.1) Web inside to outside (10.10.10.10) with the port 80 and 443.

IP nat inside source static tcp 192.168.1.1 80 10.10.10.10 80

IP nat inside source static tcp 192.168.1.1 10.10.10.10 443 443

IP nat inside source static 192.168.1.1 10.10.10.10

Access-list 101 permit tcp any host 10.10.10.10 eq 80

Access-list 101 permit tcp any host 10.10.10.10 eq 443

interface ethernet0
IP access-group 101 in

Thank you

The operational reasons - it will break things.

Tags: Cisco Security

Similar Questions

public static nat/global vs

Excluding an access list, what is the difference between:

NAT (inside) 1 172.16.5.10 net 255.255.255.255

192.168.5.10 (outside) 1 global net 255.255.255.255

and

static (inside, outside) 1 192.168.5.10 172.16.5.10 net 255.255.255.255

Thank you.

in static reality must be combined with the access list for a two-way communication... You are right in a sense that

public static nat/global access-list =

Basically, the rule is that the traffic is allowed more high to low infterface of default security

BUT

from the lowest to the highest security of communication you need an access as well as the STATIC list

Thank you

Nadeem

Please help: NAT (inside) 0 0 0 and NAT (inside) - access list 0

I have a problem with my PIX firewall.

I don't want any NAT to the origin of traffic inside the interface.

When I give

NAT (inside) - 0 80 access list

access ip-list 80 allow a whole

It works very well

But when I tried

NAT (inside) 0 0 0

ITZ not working is not for my IPsec clients

According to my knowledge PIX requires input NAT to allow traffic from security interface higher to lower security interface. Can I use NAT 0 by which I can get around the NAT.

Help, please?

Hello

identity nat works with access-list... IE nat 0 statement with an ACL... or you can specify the network... don't know if you can put 0 0... I have not seen that someone put this...

refer to the documentation of nat for this command:

http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/cmdref/Mr.htm#wp1161298

to the first config... That's right... who has a list of acess 80!

REDA

NAT with access-list

Now,.

I want nat by looking at the destination address.

example if destination is A nat for x pool network, and if the destination is something different then nat to the pool of y.

IOS supports natting with ACLs and road maps.

but as stated in the order reference specifying acl is valid only for the nat 0.

So how can I nat based on destination address.

is it possible with pix?

If so, how?

Thanks in advance

You can not do conditional NAT based on destination on the Pix address. The only way to achieve this would be to have several interfaces with itineraries that would send traffic for each interface, NAT them as appropriate.

Static nat and NAT ACL 0

All,

I have nat 0 ACL indicating that an ip address should not be natted, while a static nat statement saying we need natted. I just want to know that we will have precedence.

Thank you

It is of the order of operations PIX nat / ASA.

the NAT 0 acl_name (nameif) has priority.

1 nat 0-list of access (free from nat)

2. match the existing xlates

3. match the static controls

a. static NAT with no access list

b. static PAT with no access list

4. match orders nat

a. nat [id] access-list (first match)

b. nat [id] [address] [mask] (best match)

i. If the ID is 0, create an xlate identity

II. use global pool for dynamic NAT

III. use global dynamic pool for PAT

Public static political static NAT in conflict with NAT VPN

I have a situation where I need to create a VPN site-to site between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises where the LAN behind the Cisco ASA has the same subnet an existing VPN currently created on the Sonicwall. Since the Sonicwall cannot have two VPN both run on the same subnet, the solution is to use policy NAT on the SAA as well as for the Sonicwall, the new VPN seems to have a different subnet.

The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a private network virtual created for another customer with the same subnet). I try to translate it to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The ASA relevant configuration is:

interface Vlan1

IP 192.168.10.1 255.255.255.0

access extensive list ip 192.168.24.0 outside_1_cryptomap allow 255.255.255.0 10.159.0.0 255.255.255.0

list of access VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0

public static 192.168.24.0 (inside, outside) - list of VPN access

card crypto outside_map 1 match address outside_1_cryptomap

In addition, there are other static NAT instructions and their associated ACLs that allow certain traffic through the firewall on the server, for example:

public static tcp (indoor, outdoor) interface smtp SERVER smtp netmask 255.255.255.255

The problem is this: when I enter the static strategy statement NAT, I get the message ' WARNING: real-address conflict with existing static "and then it refers to each of the static NAT statements reflecting the external address to the server. I've thought about it, and it seemed to me that the problem was that policy NAT statement must be the first statement of NAT (it is the last one) so that it is run first and all traffic destined to the VPN to the Sonicwall (destination 10.159.0.0/24) tunnel would be properly treated. If I left him as the last statement, then the other static NAT statements would prevent a part of the 10.159.0.0/24 network-bound traffic to be correctly routed through the VPN.

So, I tried first to my stated policy NAT upward in the ASDM GUI interface. However, moving the declaration was not allowed. Then I tried to delete the five static NAT statements that point to the server (an example is above) and then recreate them, hoping that would then move up the policy statement NAT. This also failed.

What Miss me?

Hello

I assumed that we could have changed the order of the 'static' , the original orders, but as it did not work for some reason any then it seems to me that you suggested or change, that I proposed should work.

I guess that your purpose was to set up static political PAT for the VPN for some these services, then static PAT of public network access, then static NAT to policy for the rest of the network in-house.

I guess you could choose any way seems best for you.

Let me know if get you it working. I always find it strange that the original configuration did not work.

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary

-Jouni

Cisco 861 DHCP + public static IPs + NAT/DNAT. Help.

Hello

I used to use a server of self-made CentOS for intranet for my small office, but I have bouth a few days ago a router Cisco 861 to replace the linux machine.

My needs:

1. I have 2 public classes of IP from my ISP. 1 class is limitted 80mbit upload, the other to 30mbit upload. So I need some sort of DNAT to be able to know exactly what intranet computer uses internet great and including a single internet limitted.

2. I need DHCP server with static IP addresses (a computer must always have the same IP address, etc)... I have my needs for this.

3. also I need external access to certain servers on the inside (web, ftp, etc.)

Parameters:

(Dhcp) intranet: 10.11.12.x 255.255.255.0)

1 public Internet: 89.45.204.118 255.255.255.248 (89.45.204.117 as gateway)

Public Internet 2: some other class in the same IP (assume 89.45.204.58/24 for example)

DNS: 89.45.200.1

So far so good, everything seems simple and I can do this in 2 hours on a centos linux box (correct roads, active ip Routing and some rules for NAT/SNAT/DNAT iptables).

But on this new router of Centos... Well, I am not yet able to ping the outside world, nor inside world I'm tired reading the forums, documentation... I want (at the beginning) to a simple scenario: vlan + dhcp, SEA4 with 1 public ip address and ACCESS to the real world. I was not able to reach even not that much.

OK, first of all, here is a copy of the running configuration:

Building configuration...

Current configuration: 5826 bytes

version 15.1

no service button

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname cisco861

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 [out-of-context]

activate the password [out-of-context]

!

No aaa new-model

iomem 10 memory size

Crypto pki token removal timeout default 0

!

Crypto pki trustpoint TP-self-signed-2459631067

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 2459631067

revocation checking no

rsakeypair TP-self-signed-2459631067

!

!

TP-self-signed-2459631067 crypto pki certificate chain

certificate self-signed 01

[deleted-of-context]

quit smoking

IP source-route

!

!

DHCP excluded-address IP 10.11.12.1

DHCP excluded-address IP 10.11.12.251 10.11.12.254

!

IP dhcp pool cisco861-iasi

import all

Network 10.11.12.0 255.255.255.0

domain cisco861.iasi

DNS-server 10.11.12.1 89.45.200.1

router by default - 10.11.12.1

-NetBIOS 10.11.12.2 name server 10.11.12.3

!

IP dhcp pool testPC

the host 10.11.12.111 255.255.255.0

0100.c030.1012.09 client identifier

testpc-01 customer name

!

!

IP cef

IP domain name cisco861.iasi

name of the IP-server 89.45.200.1

!

!

license udi pid CISCO861-K9 sn [out-of-context]

!

!

username admin secret of privilege 15 4 [removed-of-context]

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

external description $ ETH - LAN$

IP 89.45.204.118 255.255.255.248

NAT outside IP

IP virtual-reassembly in

full duplex

automatic speed

!

interface Vlan1

Description $ETH - SW - LAUNCH, INTF-INFO-HWIC $$ $4ESW

10.11.12.1 IP address 255.255.255.0

IP nat inside

IP virtual-reassembly in

IP tcp adjust-mss 1452

!

IP forward-Protocol ND

IP http server

23 class IP http access

local IP http authentication

IP http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

!

overload of IP nat inside source list 23 interface FastEthernet4

IP route 0.0.0.0 0.0.0.0 89.45.204.117

!

access-list 23 permit 10.11.12.0 0.0.0.255

Dialer-list 1 ip protocol allow

SNMP-Server RO community cisco861.Iasi

!

Line con 0

local connection

line to 0

line vty 0 4

access-class 23 in

privilege level 15

password [out-of-context]

local connection

transport input telnet ssh

!

end

(I couldn't find any CODE or a QUOTE as on other forums... so I tried to indent the config for you guys)

In addition, here are a few troubleshooting commands I used, maybe they can help some of know you what is the problem

cisco861 #show ip interface brief

Interface IP-Address OK? Method status Prot

Commissioner of official languages

FastEthernet0 unassigned YES unset upward, upward

FastEthernet1 unassigned YES unset down down

FastEthernet2 unassigned YES unset down down

FastEthernet3 unassigned YES unset down down

FastEthernet4 89.45.204.118 YES manual up up

NVI0 89.45.204.118 YES unset upward, upward

Vlan1 10.11.12.1 YES manual up up

cisco861 #show mac-address-table

Port of destination address Destination address Type VLAN

------------------- ------------ ---- --------------------

dynamic xxxx.xxxx.xxxx 1 FastEthernet0

XXXX.xxxx.xxxx Self 1 Vlan1

ODD: it has no mac address for the connected FastEthernet 4. How comes? I changed 3 cables. All cables are OK.

cisco861 #show ip route

Code: L - local, C - connected, S - static, mobile R - RIP, M-, B - BGP

D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

E1 - OSPF external type 1, E2 - external OSPF of type 2

i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2

-IS inter area, * - candidate failure, U - static route by user

o - ODR, P - periodic downloaded route static, H - PNDH, l - LISP

+ - replicated road, % - next hop override

Gateway of last resort is 89.45.204.117 to network 0.0.0.0

S * 0.0.0.0/0 [1/0] via 89.45.204.117

10.0.0.0/8 is variably divided into subnets, 2 subnets, 2 masks

C 10.11.12.0/24 is directly connected, Vlan1

L 10.11.12.1/32 is directly connected, Vlan1

89.0.0.0/8 is variably divided into subnets, 2 subnets, 2 masks

C 89.45.204.117/29 is directly connected, FastEthernet4

L 89.45.204.118/32 is directly connected, FastEthernet4

#show FastEthernet 4 router interfaces

FastEthernet4 is up, line protocol is up

Material is PQII_PRO_UEC, the address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)

Description: external$ ETH - LAN$

The Internet address is 89.45.204.118/29

MTU 1500 bytes, BW 100000 Kbit/s, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

KeepAlive set (10 sec)

Full-duplex, 100 MB/s, 100BaseTX/FX

Type of the ARP: ARPA, ARP Timeout 04:00

Last entry at 00:02:54, 00:00:00 exit, exit hang never

Final cleaning of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0

Strategy of queues: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bps, 0 packets/s

5 minute output rate 0 bps, 0 packets/s

28 sachets of entrance, 3909 bytes

Received 14 emissions (0 of IP multicasts)

0 Runts, 0 giants, 0 shifters

entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored

Guard Dog 0

entry packets 0 with condition of dribble detected

output of 110 packages, 25366 bytes, 0 underruns

0 output errors, 0 collisions, 3 interface resets

unknown protocol 0 drops

0 babbles, collision end 0, 0 deferred

1 lost carrier, 0 no carrier

output buffer, the output buffers 0 permuted 0 failures

interfaces of router #show vlan 1

Vlan1 is up, line protocol is up

Material is EtherSVI, the address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)

Description: $ETH - SW - LAUNCH$ $INTF - INFO - HWIC-$4ESW

The Internet address is 10.11.12.1/24

MTU 1500 bytes, BW 100000 Kbit/s, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

KeepAlive not supported

Type of the ARP: ARPA, ARP Timeout 04:00

Last entry of 00:00:06, output ever, blocking exit ever

Final cleaning of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0

Strategy of queues: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bps, 0 packets/s

5 minute output rate 0 bps, 0 packets/s

packets of 512, 53381 bytes, 0 no buffer entry

Received 185 broadcasts (0 of IP multicasts)

0 Runts, 0 giants, 0 shifters

entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored

exit 180 packages, 13248 bytes, 0 underruns

output 0 error, 1 interface resets

unknown protocol 0 drops

output buffer, the output buffers 0 permuted 0 failures

Also, I tried other combinations, as follows
1. IP route static inter-vfr
2. IP default-gateway 89.45.204.117 (ofc combined with no ip Routing). I can ping 8.8.8.8 in this scenario, but not other IP addresses. WTF?
3. network default IP 89.45.204.117 (the bridge) - nothing
4. 89.45.204.118 default IP network - bothing
5. IP route 0.0.0.0 0.0.0.0 FastEthernet 4 (with or without 89.45.204.117, with or without permanent keyword)
Please, have mercy and help me.

P.S. I've also attached the configuration and troubleshooting files if it will be easier for you to follow this path.

A big thank you and God bless you!

Hello

IP nat inside source static 10.11.12.33 89.45.204.120 (host - to - host)

IP nat inside source static tcp 10.11.12.33 80 89.45.204.120 80 (port translation host-to - host)

RES

Paul

Please don't forget to rate this post if it has been helpful.

Public static PAT in Nat/Global conflicts

I seem to have a problem because of a conflict between the static PAT and nat/global pool.

I have a config with the following static and ACL. (192.169.10.2 and 192.168.10.3 are two address on the same adapter on the same server)

static (dmz, outside) tcp 212.xx.xx.4 www 192.168.10.2 5080 netmask 255.255.255.255 0 0

static (dmz, external) 212.xx.xx.5 192.168.10.3 netmask 255.255.255.255 0 0

line 100 access list 7 permit tcp any host 212.xx.xx.4 eq www

100-list access line 8 permit tcp any host

212.XX.XX.5 eq ftp

line 9 of the access list 100 permit tcp any host 212.xx.xx.5 eq ftp - data

With this new configuration when I issued the "cl" xlate I outwardly use the site and the FTP site.

However, as soon as the (192.6.12.2/3) server to connect to the internet the static PAT stops working:

static (dmz, outside) tcp 212.xx.xx.4 www 192.168.10.2 5080 netmask 255.255.255.255 0 0

It is interesting the individual static (ftp) continues to work:

If I do a "show xlate" he mentions a 'Global 212.xx.xx.22 192.168.10.2 Local. " That's probably why it does not work as it comes to take an address from the global pool and is no longer uses 212.xx.xx.4. I don't know why this conflict happens? Any help much appreciated.

Dan

Hello Dan,

Please mark this case as resolved, so that it might help others. response rate (s) If you found it useful.

Thank you

Cannot access static nat address via vpn.

I have an asa5510 where I

a static nat from one interface to the other.

I also have a VPN connection to the asa...

On the other side of the vpn connection, I can not access this static NAT.

192.168.170.x is the vpn network.

Is it not possible to access the static NAT over vpn?

the DM_INLINE_NETWORK_16 object-group network
object-network 192.168.0.0 255.255.255.0
object-network vxtron 255.255.255.0
object-network dmz_zone 255.255.255.0
object-network 192.168.170.0 255.255.255.0

MPLS_nat0_outbound list extended access deny host ip 172.26.1.5 all

Access extensive list ip 172.26.0.0 MPLS_nat0_outbound allow 255.255.252.0 object-group DM_INLINE_NETWORK_16

pnat1 list extended access permit ip host 172.26.1.5 all

static (MPLS, inside) 192.168.0.199 access list pnat1

NAT (MPLS) 0-list of access MPLS_nat0_outbound
NAT (MPLS) 1 172.26.0.0 255.255.252.0
static (MPLS, inside) 172.26.1.5 MPLS_nat_static access list

René, happy you including yourself this one! If you could, please mark the post as solved so that we know that it is not need more attention

PhoneListener cannot access a public static vars initialized in the main thread

Using the emulator (SDK 4.7, phone model 9500)

I have a class PhoneListener defined and recorded, he gets the phone events without any problems. It's all public static public var that is initialized in the main thread is always null when it is examined in the context of the PhoneListener callback thread, when examined in the main thread or a son they are defined.

I guess since the PhoneListener callbacks are called from a system thread, it cannot access the battery of my request - it seems correct? is this in any way about this?

I tried Application.getApplication () .invokeLater (...), but validated all executable from the PhoneListener recalled suffers from the same problem.

Thanks - Lindsay

Exactly, that's what I was wondering - I found the answer according to the PhoneListener in the MIDlet . Now I store my UiApplication object in the running store and access them from the PhoneLister to publish objects on my main application via invokeLater.

Thank you

Lindsay

Static NAT to 10.140.2.0 to 10.240.2.0 via VPN

I need help to set up a static nat device between oursite and seller

oursite has a subnet 10.140.2.0/24 the provider uses for something else. They asked that we nat 10.140.2.0/24 to 10.240.2.0/24 via the VPN, so they will see the 10.140 10.240? any help is appreciated. I think that map crypo acl must be standing as well, we run version 8.2

LOCAL SITE - ASA - TUNEL VPN - ASA - SITE PROVIDER

Thanks in advance

Hello Bbftijari,

In this case, according to the ASA version, but you will need to configure, this way:

Pre - 8.3

1. create groups of objects for use in the ACL,

the LOCAL_SITE object-group network
object-network 10.140.2.0 255.255.255.0

the Vendor_SITE object-group network
network-object XXXXXX XXXXXX

2. create ACLs, as a condition,

access-list VPN_NAT permitted object-group LOCAL_SITE object group ip Vendor_SITE

3 create the static NAT, call the ACL, so he says "when I come inside outside of LOCAL_SITE to Vendor_SITE, I will result in 10.240.2.0/24.

public static 10.240.2.0 (inside, outside) access-list VPN_NAT netmask 255.255.255.0

--------------------------------------------------------------------------------------------------------------------------------

Post 8.3

1 create the network objects and create a static entry:

the LOCAL_SITE object-group network
object-network 10.140.2.0 255.255.255.0

the NAT_SITE object-group network
object-network 10.240.2.0 255.255.255.0

the Vendor_SITE object-group network
network-object XXXXXX XXXXXX

2. static NAT creation,

NAT (inside, outside) 1 static source LOCAL_SITE NAT_SITE Vendor_SITE Vendor_SITE non-proxy-arp-search of route static destination

Test and keep me posted.

Please note and mark it as the correct answer if it helped you.

David Castro,

Difference between 0 and static NAT

Hello

I have a question about the difference of the ' nat 0' command and control 'static '.

Let's say I have an internal host with address A.B.C.D. It is a public (not private) address. I want internet hosts to access this internal host A.B.C.D. Given that the ip address is a public address I don't have any translation (I can do it, but it is not necessary).

Now I can use two different commands to provide outbound access:

NAT (inside) 0 A.B.C.D 255.255.255.255

or

static (inside, outside) A.B.C.D A.B.C.D netmask 255.255.255.255

Which of the two commands should I use and why this one?

(I know that to allow inbound access I need a conduit or a list of access, but this isn't my question for now)

Kind regards

Tom

NAT 0 takes two forms as follows:

NAT (inside) 0 access-list xxx

NAT (inside) 0 a.c.b.d 255.255.255.255

The form of "access-list" works just like a static, but ignores the function NAT together. If you specify something like:

IP access-list 101 permit any host 192.168.1.9

(Inside) NAT 0-list of access 101

then everyone on the outside will be able to create a connection through this host inside.

The second form of the command, specifying the inside address, bypasses the NAT service, but requires that the inside the host, make a connection outward BEFORE anyone outside will be able to establish a connection with it. It is similar to the 'access-list' command, but requires an outgoing connection first, and then anyone can come.

In your example, you establish an outbound connection to 192.168.1.9 first, then you would be able to enter in it. Personally, I prefer to do it this way:

static (inside, outside) 192.168.1.9 192.168.1.9 netmask 255.255.255.255

For me, it's just easier to read this way.

Apart from the demilitarized zone or static NAT?

Hello!

I'm trying to implement the static translation from outside my network in DMZ. I tried with nat, global and static use but failed with both. The problem is that packets are go to the servers in the DMZ but nothing is returned to the sender. Also, when I try to access a Web server in DMZ I get SYN timeout.

The traffic of my LAN (inside) local DMZ works as it should however.

-Important conf--->

access-list ON scope allowed any ip a

Global interface (dmz) 12

NAT (outside) - 12 OUT out access list

Access-group OUT in the interface outside

no nat control

-more than information--->

Interior - the security of IP 10.0.13.1 level 100

DMZ - security level 50, IP 172.16.13.1

outer - level 0, the security of IP 192.168.13.2

Bastionhost = Web server

-See the nat--->

Policy NAT outside interface:

match any ip outside any demilitarized zone

dynamic translation to the pool of 12 (172.16.13.1 [Interface PAT])

translate_hits = 2, untranslate_hits = 0

When I used static instead of nat, overall I had so many untranslate_hits I sent to servers in DMZ.

-Debug--->

Built dynamic TCP translation of outside:192.168.13.5/1316 to dmz (OUT): 172.16.13.1 / 1028

Built of 469 for incoming TCP connections to dmz:bastionhost (172.16.13.1/1028) outside:192.168.13.5/1316 / (bastionhost/80) 80

Disassembly of the TCP dynamic translation of outside:192.168.13.5/1317 to dmz (OUT): 172.16.13.1 / 1029 0 duration: 00:39

Disassembly TCP 473 for outside:192.168.13.5/1318 to dmz:bastionhost connection / 80 0 duration: 00:30 bytes 0 SYN Timeout

Thank you.

Your following config is fine, your bastionhost here with a public IP address of mapping that will allow the access server to the internet as well.

allowed any icmp extended WEB access list a--> add this option to test accessibility outside bastionhost / internet and remove it later.

IP any host 192.168.14.5-> or add 'eq www' to specify the port allow Access - list extended WEB.

static (dmz, outside) tcp 192.168.14.5 www bastionhost www netmask 255.255.255.255

group-access WEB interface outside

You can omit the next part that meant allowing internet access only, bastionhost not allowing users to access.

Global 1 192.168.14.5 (outside)

NAT (dmz) 1 bastionhost 255.255.255.255

BTW, what is the State of the road looks like?

Static NAT with the road map for excluding the VPN

We have problems of access to certain IPs NATted static via a VPN. After some research, we have learned that you have to exclude traffic destined for the VPN to the static NAT using a road map. So we did this:

10.1.1.x is the VPN IP pool.

access-list 130 refuse ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 allow ip 192.168.1.0 0.0.0.255 any

sheep allowed 10 route map
corresponds to the IP 130

IP nat inside source static 192.168.1.5 1.1.1.1 sheep map route

Above worked to fix the VPN but the IP 192.168.1.5 is no longer publicly available via 1.1.1.1. What seems to happen, is that the static NAT is not really work and this IP address is NATted with the IP of PAT.

Any ideas on how to get this to work?

Thank you
Diego

Hello

The following example details exactly your case:

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

Try to replace the 192.168.1.0 subnet by the host address.

It should work

HTH

Laurent.

problem of access lists

Hello, I have a problem with PIX Firewall Version 6.0 (1), the problem is:

I have a pix with interface 3 inside, outside and dmz.

IP address outside x.x.x.2 255.255.255.248

IP address inside 200.115.10.10 255.255.255.0

192.168.6.28 dmz IP address 255.255.255.0

I need to make an acl where only 3 PC inside access server installed in the demilitarized zone, with a public ip, but the LCD is not working.

Here is the ACL, but I change the IP addresses.

access-list 108 allow ip 200.115.10.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.10.0 255.255.255.0

access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.20.0 255.255.255.0

access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.30.0 255.255.255.0

access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.10.0 255.255.255.0

access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.20.0 255.255.255.0

access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.30.0 255.255.255.0

pager lines 24

opening of session

interface ethernet0 car

Auto interface ethernet1

Auto interface ethernet2

Outside 1500 MTU

Within 1500 MTU

MTU 1500 dmz

IP address outside x.x.x.2 255.255.255.248

IP address inside 200.115.10.10 255.255.255.0

192.168.6.28 dmz IP address 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

172.16.1.1 - 172.16.1.254 test IP local pool

no failover

failover timeout 0:00:00

failover poll 15

failover outside 0.0.0.0 ip address

IP Failover inside 0.0.0.0

failover dmz 0.0.0.0 ip address

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

Global (dmz) 1 192.168.6.10

NAT (inside) - 0 108 access list

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

NAT (dmz) 1 0.0.0.0 0.0.0.0 0 0

(inside) alias x.x.x.5 192.168.6.30 255.255.255.255

static (inside, outside) x.x.x.6 10.10.70.1 netmask 255.255.255.255 0 0

static (inside, outside) x.x.x.4 200.115.10.16 netmask 255.255.255.255 0 0

static (dmz, external) x.x.x.5 192.168.6.30 netmask 255.255.255.255 0 0

conduct permitted tcp x.x.x.6 eq lotusnotes host everything

conduct permitted tcp 2x.x.x.4 eq www host everything

conduct permitted tcp x.x.x.4 eq lotusnotes host everything

conduct permitted tcp x.x.x.5 eq www host everything

driving allowed host tcp x.x.x.5 eq field all

allow icmp a conduit

driving allowed host tcp https eq x.x.x.5 all

conduct permitted tcp 2x.x.x.5 eq 21010 host everything

the public IP address I need to access it from the inside is x.x.x.5

Hello

The ACL you provide will always be the same when shorten you it to this:

access-list 110 deny tcp host 200.115.10.0 host x.x.x.5

Access-group 110 in the interface inside

(it wouldn't work well, because the host 200.115.10.0 * watch the zero * probably does not exist)

Assuming that your dmz has a lower securitylevel then your inside interface, you must remember that if the packages are make from the highest to the lowest level of security the PIX performs the following operations:

(1) if it is an existing stream, leave the package through

(2) if it is not an existing stream, see ACL

(3) if the ACL refuses, then drop the package, if ACL allows, leave package through

(4) if the ACL does not at all, leave the package through (since it is the high level of low security)

But I guess that this is not what you want to achieve.

I think you need something like this:

access-list 110 permit tcp host 200.115.10.40 x.x.x.5 eq www

access-list 110 permit tcp host 200.115.10.41 x.x.x.5 eq www

access-list 110 permit tcp host 200.115.10.42 x.x.x.5 eq www

access-list 110 deny ip 200.115.10.0 255.255.255.0 255.255.255.0 x.x.x.0

(assuming that you have a 24 - bit subnet on your dmz)

access ip-list 110 permit a whole

Access-group 110 in the interface inside

This will allow three internal hosts to access the server x.x.x.5 you dmz with HTTP, than anyone else on the 200.115.10.0/24 subnet to the dmz and allow traffic on all the others outside.

I hope this helps.

Kind regards

Leo

Public static NAT vs. Access-List

Similar Questions

Maybe you are looking for