« Return to Thread: NAT order help
Re: NAT order help
by Avishai Wool-2
::
Rate this Message:
On 11/9/07, kevin horvath <kevin.horvath@...> wrote:
> > first, AFAIK they are not in conflict since the translate-from
> > address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?)
>
> they are. the access list for static pat stipulates the 10 net just
> as the static nat. Static nat wins over static pat.
well, actually, according to the cisco jargon at
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1202525
these are BOTH "static nat" - the 2nd one is regular old
static nat and the 1st, with the access-list, is called "policy nat".
to qualify for the term "static pat" you would need the extra "tcp" or "udp"
keyword just after the (inside,outside).
>
> >
> > second, I think they are processed in order
>
> You are thinking as if its an access list (permit or deny) but it
> works more like routing where the more specific statement wins if they
> are the same type of translation. Since they aren't and one is static
> nat then it has more precedence.
[snip - they are both the same type so I think the nat precedence
rules you listed
are not too relevant]
I still say the statements seem non-conflicting, because the "mapped_ip"
[the IP address right after the (inside,outside)] is different. Reading
the Cisco docs, my understanding is that if a packet comes into the PIX
with a ip.destination of "mapped_ip" (or in the "mapped_ip" subnet)
then the pix translates that ip.destination
to what the "static" command tells it to - namely the "real_ip" in
regular static nat.
in sivakumar's example. the mapped_ip is 1.1.1.2 in the 1st static,
and 10.0.0.0 in the 2nd, so there is no conflict. Am I wrong?
However, I am confused about one thing in the policy nat. here is the exaple:
access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
static(inside,ouside) 1.1.1.2 access-list rule1 0 0
instead of just a real_ip subnet (as in the regular static),
the access-list in fact
has a subnet in the source field (10.0.0.0/8) and ANOTHER subnet in the
destination field (1.1.1.1/32)... so when a packet comes into the PIX
with ip.dest=1.1.1.2, how is it translated? using the source (10.0.0.0) or
the destination (1.1.1.1) in the ACL?
moreover, let's assume that the translate-to ip is the ACL's destination
(1.1.1.1 in this example) - what does the OTHER (source)
field do?
Can any PIX mavens out there shed some light?
PIXes are so weird.
Avishai
>
> >
> > On 11/6/07, sivakumar <siva_itech@...> wrote:
> > >
> > > Hi,
> > >
> > > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
> > >
> > > static(inside,ouside) 1.1.1.2 access-list rule1 0 0
> > > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
> > >
> > > Please tell me which statement will take precedence - policy NAT ot Static
> > > NAT..
> > >
> > > --
> > > View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213
> > > Sent from the Firewall Wizards mailing list archive at Nabble.com.
> > >
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards@...
> > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> > >
> >
> >
> > --
> > Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
> > http://www.algosec.com
> > ******* Firewall Management Made Smarter ******
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@...
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@...
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
--
Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
http://www.algosec.com
******* Firewall Management Made Smarter ******
_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> > first, AFAIK they are not in conflict since the translate-from
> > address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?)
>
> they are. the access list for static pat stipulates the 10 net just
> as the static nat. Static nat wins over static pat.
well, actually, according to the cisco jargon at
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1202525
these are BOTH "static nat" - the 2nd one is regular old
static nat and the 1st, with the access-list, is called "policy nat".
to qualify for the term "static pat" you would need the extra "tcp" or "udp"
keyword just after the (inside,outside).
>
> >
> > second, I think they are processed in order
>
> You are thinking as if its an access list (permit or deny) but it
> works more like routing where the more specific statement wins if they
> are the same type of translation. Since they aren't and one is static
> nat then it has more precedence.
[snip - they are both the same type so I think the nat precedence
rules you listed
are not too relevant]
I still say the statements seem non-conflicting, because the "mapped_ip"
[the IP address right after the (inside,outside)] is different. Reading
the Cisco docs, my understanding is that if a packet comes into the PIX
with a ip.destination of "mapped_ip" (or in the "mapped_ip" subnet)
then the pix translates that ip.destination
to what the "static" command tells it to - namely the "real_ip" in
regular static nat.
in sivakumar's example. the mapped_ip is 1.1.1.2 in the 1st static,
and 10.0.0.0 in the 2nd, so there is no conflict. Am I wrong?
However, I am confused about one thing in the policy nat. here is the exaple:
access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
static(inside,ouside) 1.1.1.2 access-list rule1 0 0
instead of just a real_ip subnet (as in the regular static),
the access-list in fact
has a subnet in the source field (10.0.0.0/8) and ANOTHER subnet in the
destination field (1.1.1.1/32)... so when a packet comes into the PIX
with ip.dest=1.1.1.2, how is it translated? using the source (10.0.0.0) or
the destination (1.1.1.1) in the ACL?
moreover, let's assume that the translate-to ip is the ACL's destination
(1.1.1.1 in this example) - what does the OTHER (source)
field do?
Can any PIX mavens out there shed some light?
PIXes are so weird.
Avishai
>
> >
> > On 11/6/07, sivakumar <siva_itech@...> wrote:
> > >
> > > Hi,
> > >
> > > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
> > >
> > > static(inside,ouside) 1.1.1.2 access-list rule1 0 0
> > > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
> > >
> > > Please tell me which statement will take precedence - policy NAT ot Static
> > > NAT..
> > >
> > > --
> > > View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213
> > > Sent from the Firewall Wizards mailing list archive at Nabble.com.
> > >
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards@...
> > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> > >
> >
> >
> > --
> > Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
> > http://www.algosec.com
> > ******* Firewall Management Made Smarter ******
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@...
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@...
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
--
Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
http://www.algosec.com
******* Firewall Management Made Smarter ******
_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
« Return to Thread: NAT order help
| Free embeddable forum powered by Nabble | Forum Help |
