NAT order help
|
View:
New views
9 Messages
—
Rating Filter:
Alert me
|
 |
NAT order help
by sivakumar
::
Rate this Message:
Hi,
access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1 static(inside,ouside) 1.1.1.2 access-list rule1 0 0 static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0 Please tell me which statement will take precedence - policy NAT ot Static NAT.. Regards,
Siva |
|
|
Re: NAT order help
by kevin horvath
::
Rate this Message:
static
On Nov 6, 2007 5:32 AM, sivakumar <siva_itech@...> wrote: > > Hi, > > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1 > > static(inside,ouside) 1.1.1.2 access-list rule1 0 0 > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0 > > Please tell me which statement will take precedence - policy NAT ot Static > NAT.. > > -- > View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213 > Sent from the Firewall Wizards mailing list archive at Nabble.com. > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: NAT order help
by Avishai Wool-2
::
Rate this Message:
sivakumar
first, AFAIK they are not in conflict since the translate-from address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?) second, I think they are processed in order google for "cisco pix command reference" and follow the links to your pix version - I looked at http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1202525 for ASA 7.2 HTH, Avishai On 11/6/07, sivakumar <siva_itech@...> wrote: > > Hi, > > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1 > > static(inside,ouside) 1.1.1.2 access-list rule1 0 0 > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0 > > Please tell me which statement will take precedence - policy NAT ot Static > NAT.. > > -- > View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213 > Sent from the Firewall Wizards mailing list archive at Nabble.com. > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > -- Avishai Wool, Ph.D., Co-founder and Chief Technical Officer http://www.algosec.com ******* Firewall Management Made Smarter ****** _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: NAT order help
by kevin horvath
::
Rate this Message:
> first, AFAIK they are not in conflict since the translate-from
> address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?) they are. the access list for static pat stipulates the 10 net just as the static nat. Static nat wins over static pat. > > second, I think they are processed in order You are thinking as if its an access list (permit or deny) but it works more like routing where the more specific statement wins if they are the same type of translation. Since they aren't and one is static nat then it has more precedence. NOTE: i havent worked on the ASA just alot with the pix but it should be the same, but maybe not so please go to CCO to verify. If you have a lab the best way to learn is to just test it out if unsure. The oder of operation for pix (which should be the same for the ASA since I believe they use the same code base) is as follows: Order of NAT Commands Used to Match Local Addresses (could only find this for the pix 6.3 so it could possibly have changed since this) The firewall matches local traffic to NAT commands in the following order: 1. nat 0 access-list (NAT exemption)—In order, until the first match. For example, you could have overlapping local/destination addresses in multiple nat commands, but only the first command is matched. 2. static (static NAT)—In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements. 3. static {tcp | udp} (static PAT)—In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements. 4. nat nat_id access-list (policy NAT)—In order, until the first match. For example, you could have overlapping local/destination ports and addresses in multiple nat commands, but only the first command is matched. 5. nat (regular NAT)—Best match. The order of the NAT commands does not matter. The nat statement that best matches the local traffic is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you also create a statement to translate only 10.1.1.1, when 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the local traffic best. On Nov 9, 2007 8:58 AM, Avishai Wool <yash@...> wrote: > sivakumar > > first, AFAIK they are not in conflict since the translate-from > address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?) > > second, I think they are processed in order > > google for "cisco pix command reference" and follow the > links to your pix version - I looked at > http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1202525 > > for ASA 7.2 > > HTH, > Avishai > > On 11/6/07, sivakumar <siva_itech@...> wrote: > > > > Hi, > > > > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1 > > > > static(inside,ouside) 1.1.1.2 access-list rule1 0 0 > > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0 > > > > Please tell me which statement will take precedence - policy NAT ot Static > > NAT.. > > > > -- > > View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213 > > Sent from the Firewall Wizards mailing list archive at Nabble.com. > > > > _______________________________________________ > > firewall-wizards mailing list > > firewall-wizards@... > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > > > > > -- > Avishai Wool, Ph.D., Co-founder and Chief Technical Officer > http://www.algosec.com > ******* Firewall Management Made Smarter ****** > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: NAT order help
by Avishai Wool-2
::
Rate this Message:
On 11/9/07, kevin horvath <kevin.horvath@...> wrote:
> > first, AFAIK they are not in conflict since the translate-from > > address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?) > > they are. the access list for static pat stipulates the 10 net just > as the static nat. Static nat wins over static pat. well, actually, according to the cisco jargon at http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1202525 these are BOTH "static nat" - the 2nd one is regular old static nat and the 1st, with the access-list, is called "policy nat". to qualify for the term "static pat" you would need the extra "tcp" or "udp" keyword just after the (inside,outside). > > > > > second, I think they are processed in order > > You are thinking as if its an access list (permit or deny) but it > works more like routing where the more specific statement wins if they > are the same type of translation. Since they aren't and one is static > nat then it has more precedence. [snip - they are both the same type so I think the nat precedence rules you listed are not too relevant] I still say the statements seem non-conflicting, because the "mapped_ip" [the IP address right after the (inside,outside)] is different. Reading the Cisco docs, my understanding is that if a packet comes into the PIX with a ip.destination of "mapped_ip" (or in the "mapped_ip" subnet) then the pix translates that ip.destination to what the "static" command tells it to - namely the "real_ip" in regular static nat. in sivakumar's example. the mapped_ip is 1.1.1.2 in the 1st static, and 10.0.0.0 in the 2nd, so there is no conflict. Am I wrong? However, I am confused about one thing in the policy nat. here is the exaple: access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1 static(inside,ouside) 1.1.1.2 access-list rule1 0 0 instead of just a real_ip subnet (as in the regular static), the access-list in fact has a subnet in the source field (10.0.0.0/8) and ANOTHER subnet in the destination field (1.1.1.1/32)... so when a packet comes into the PIX with ip.dest=1.1.1.2, how is it translated? using the source (10.0.0.0) or the destination (1.1.1.1) in the ACL? moreover, let's assume that the translate-to ip is the ACL's destination (1.1.1.1 in this example) - what does the OTHER (source) field do? Can any PIX mavens out there shed some light? PIXes are so weird. Avishai > > > > > On 11/6/07, sivakumar <siva_itech@...> wrote: > > > > > > Hi, > > > > > > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1 > > > > > > static(inside,ouside) 1.1.1.2 access-list rule1 0 0 > > > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0 > > > > > > Please tell me which statement will take precedence - policy NAT ot Static > > > NAT.. > > > > > > -- > > > View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213 > > > Sent from the Firewall Wizards mailing list archive at Nabble.com. > > > > > > _______________________________________________ > > > firewall-wizards mailing list > > > firewall-wizards@... > > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > > > > > > > > > -- > > Avishai Wool, Ph.D., Co-founder and Chief Technical Officer > > http://www.algosec.com > > ******* Firewall Management Made Smarter ****** > > _______________________________________________ > > firewall-wizards mailing list > > firewall-wizards@... > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > -- Avishai Wool, Ph.D., Co-founder and Chief Technical Officer http://www.algosec.com ******* Firewall Management Made Smarter ****** _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: NAT order help
by sivakumar
::
Rate this Message:
Regards,
Siva |
|
|
Re: NAT order help
by kevin horvath
::
Rate this Message:
to clarify,
Traffic initiated from the inside (10 net) will map to itself (identity nat), unless it is tcp traffic destined for 1.1.1.1 then it will map to 1.1.1.2. Traffic initiated from the outside to the inside will not matter since this is where there is no overlapping as the above scenario. Here traffic destined for 10.x will be translated to itself. The policy nat in this scenario does not allow traffic initiated from a lower security interface to a higher security interface as it can only be done via nat exemption, identity nat, or static nat/pat. I think this is where the confusion was. Only local traffic can be translated with Policy NAT (thanks for catching my typo above) not global. hope this clarifies things. Kevin > > > > > > > > On 11/6/07, sivakumar <siva_itech@...> wrote: > > > > > > > > Hi, > > > > > > > > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1 > > > > > > > > static(inside,ouside) 1.1.1.2 access-list rule1 0 0 > > > > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0 > > > > > > > > Please tell me which statement will take precedence - policy NAT ot Static > > > > NAT.. > > > > > > > > -- > > > > View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213 > > > > Sent from the Firewall Wizards mailing list archive at Nabble.com. > > > > > > > > _______________________________________________ > > > > firewall-wizards mailing list > > > > firewall-wizards@... > > > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > > > > > > > > > > > > > -- > > > Avishai Wool, Ph.D., Co-founder and Chief Technical Officer > > > http://www.algosec.com > > > ******* Firewall Management Made Smarter ****** > > > _______________________________________________ > > > firewall-wizards mailing list > > > firewall-wizards@... > > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > > > > > _______________________________________________ > > firewall-wizards mailing list > > firewall-wizards@... > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > > > > > -- > Avishai Wool, Ph.D., Co-founder and Chief Technical Officer > http://www.algosec.com > ******* Firewall Management Made Smarter ****** > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: NAT order help
by sivakumar
::
Rate this Message:
Hi,
Thanks for your reply. Is my rule for Static PAT right or i need to specify TCP/UDP ports to do a PAT? Is it possible to translate multiple ip's from inside to a single ip outside using static. Please let me know since i couldn't find in Cisco Docs saying any Static PAT like that rather they do perform redirection on ports.
Regards,
Siva |
|
|
Re: NAT order help
by kevin horvath
::
Rate this Message:
If your intention is just to do regular PAT where you have a block of
internal addresses all translating out to one IP then all you have to do is # nat (inside) 1 10.0.0.0 255.0.0.0 # global (outside) 1 1.1.2 -Now if you do this then it will not allow traffic initiated from your outside interface (lower security) to your inside interface (higher security). If you need this for example you are hosting a web server that you want people on the internet to access then you will have to do a static PAT (if you only have one IP to traslate that is). Otherwise you could just to a regular static NAT. On Nov 14, 2007 8:36 AM, sivakumar <siva_itech@...> wrote: > > Hi, > > Thanks for your reply. Is my rule for Static PAT right or i need to > specify TCP/UDP ports to do a PAT? Is it possible to translate multiple ip's > from inside to a single ip outside using static. Please let me know since i > couldn't find in Cisco Docs saying any Static PAT like that rather they do > perform redirection on ports. > > > > kevin horvath wrote: > > > > to clarify, > > > > Traffic initiated from the inside (10 net) will map to itself > > (identity nat), unless it is tcp traffic destined for 1.1.1.1 then it > > will map to 1.1.1.2. > > > > Traffic initiated from the outside to the inside will not matter since > > this is where there is no overlapping as the above scenario. Here > > traffic destined for 10.x will be translated to itself. The policy > > nat in this scenario does not allow traffic initiated from a lower > > security interface to a higher security interface as it can only be > > done via nat exemption, identity nat, or static nat/pat. I think this > > is where the confusion was. Only local traffic can be translated with > > Policy NAT (thanks for catching my typo above) not global. > > > > hope this clarifies things. > > > > Kevin > > > >> > > >> > > > >> > > On 11/6/07, sivakumar <siva_itech@...> wrote: > >> > > > > >> > > > Hi, > >> > > > > >> > > > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1 > >> > > > > >> > > > static(inside,ouside) 1.1.1.2 access-list rule1 0 0 > >> > > > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0 > >> > > > > >> > > > Please tell me which statement will take precedence - policy NAT ot > >> Static > >> > > > NAT.. > >> > > > > >> > > > -- > >> > > > View this message in context: > >> http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213 > >> > > > Sent from the Firewall Wizards mailing list archive at Nabble.com. > >> > > > > >> > > > _______________________________________________ > >> > > > firewall-wizards mailing list > >> > > > firewall-wizards@... > >> > > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > >> > > > > >> > > > >> > > > >> > > -- > >> > > Avishai Wool, Ph.D., Co-founder and Chief Technical Officer > >> > > http://www.algosec.com > >> > > ******* Firewall Management Made Smarter ****** > >> > > _______________________________________________ > >> > > firewall-wizards mailing list > >> > > firewall-wizards@... > >> > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > >> > > > >> > _______________________________________________ > >> > firewall-wizards mailing list > >> > firewall-wizards@... > >> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > >> > > >> > >> > >> -- > >> Avishai Wool, Ph.D., Co-founder and Chief Technical Officer > >> http://www.algosec.com > >> ******* Firewall Management Made Smarter ****** > >> _______________________________________________ > >> firewall-wizards mailing list > >> firewall-wizards@... > >> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > >> > > _______________________________________________ > > firewall-wizards mailing list > > firewall-wizards@... > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > > > > > > -- > View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13746694 > > Sent from the Firewall Wizards mailing list archive at Nabble.com. > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
| Free embeddable forum powered by Nabble | Forum Help |
