PIX question Policy NAT - quite urgent -

PIX question Policy NAT - quite urgent -
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
PIX question Policy NAT - quite urgent - AM 03-11-2005
Posted by AM on March 11, 2005, 4:35 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I am over the same question.
The reference is the following article

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113601

section Policy NAT

What does it mean that access list for policy NAT can note have DENY statements?

I thought to create two complementary ACL for a pool of addresses and ports and
for the rest of the world using DENY
statements but the specifications don't allow me to do that.

Perhaps do the nat ids become important, I mean, they represent the order which
ACL are processed with?

Briefly, I have built a VPN to a remote site, say VPN_remote_IP; I have 2
interface on the Internet with 2 IPs,
4_Internet IP and VPN__IP. I have published the mail server on the outside
interface (packets coming from and going to
it pass through outside interface)

Following the article suggestions I wish create

access-list 2VPN-Endpoints permit tcp 192.168.4.0 255.255.255.0 VPN_remote_IP
255.255.255.255 eq 500
access-list 2VPN-Endpoints permit tcp 192.168.4.0 255.255.255.0 VPN_remote_IP
255.255.255.255 eq 4500
access-list 2VPN-Endpoints permit tcp 192.168.4.0 255.255.255.0 VPN_remote_IP
255.255.255.255 eq 5000

access-list 2WEB permit ip 192.168.4.0 255.255.255.0 0.0.0.0 0.0.0.0

and applying them in the following order

nat (inside) 1 access-list 2VPN-Endpoints
nat (inside) 2 access-list 2WEB

global (outside) 1 <1 1st public IP> 255.255.255.255
global (outside) 2 <2 2nd public IP> 255.255.255.255


The question is:

as told above, is it correct or have nat Ids numbers priority meaning so putting
the 2VPNendpoint at the top of the
translation process let the IPsec packets to be translated by the 1st IP and all
of the rest of the packets by the 2nd
IP? I needn't a deny statement at the bottom of the 1st access list, do I?

The article doesn't talk about a PIX with 2 interface on the Internet side.
What is your opinion?
Any comments are welcomed,

Alex.


Pure Networks
Posted by Walter Roberson on March 11, 2005, 6:17 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
:What does it mean that access list for policy NAT can note have DENY statements?

Just that -- they don't allow deny statements in those ACLs.


:I thought to create two complementary ACL for a pool of addresses and ports and
for the rest of the world using DENY
:statements but the specifications don't allow me to do that.

:Perhaps do the nat ids become important, I mean, they represent the order which
ACL are processed with?

No, the nat id's have *no* significance other than the special value 0 and the
fact that they act as groupings.
No prioritization of any sort is implied.

Policy nat is matched "in order, until the first match". That means literally in
the order that the
nat statements occur in your configuration.


:Following the article suggestions I wish create

:and applying them in the following order

:nat (inside) 1 access-list 2VPN-Endpoints
:nat (inside) 2 access-list 2WEB

:The question is:

:as told above, is it correct or have nat Ids numbers priority meaning so
putting the 2VPNendpoint at the top of the
:translation process let the IPsec packets to be translated by the 1st IP and
all of the rest of the packets by the 2nd
:IP? I needn't a deny statement at the bottom of the 1st access list, do I?

No prioritization by nat id (but nat 0 access-list is always first):
2VPN-Endpoints will be used first
because that's the first one in your configuration. If you had

nat (inside) 2 access-list 2WEB
nat (inside) 1 access-list 2VPN-Endpoints

then 2WEB would be evaluated first because that would be the first one in the
configuration.
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers


Posted by AM on March 15, 2005, 8:15 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Walter Roberson wrote:
> :What does it mean that access list for policy NAT can note have DENY
statements?
>
> Just that -- they don't allow deny statements in those ACLs.
>
>
> :I thought to create two complementary ACL for a pool of addresses and ports
and for the rest of the world using DENY
> :statements but the specifications don't allow me to do that.
>
> :Perhaps do the nat ids become important, I mean, they represent the order
which ACL are processed with?
>
> No, the nat id's have *no* significance other than the special value 0 and the
fact that they act as groupings.
> No prioritization of any sort is implied.
>
> Policy nat is matched "in order, until the first match". That means literally
in the order that the
> nat statements occur in your configuration.
>
>
> :Following the article suggestions I wish create
>
> :and applying them in the following order
>
> :nat (inside) 1 access-list 2VPN-Endpoints
> :nat (inside) 2 access-list 2WEB
>
> :The question is:
>
> :as told above, is it correct or have nat Ids numbers priority meaning so
putting the 2VPNendpoint at the top of the
> :translation process let the IPsec packets to be translated by the 1st IP and
all of the rest of the packets by the 2nd
> :IP? I needn't a deny statement at the bottom of the 1st access list, do I?
>
> No prioritization by nat id (but nat 0 access-list is always first):
2VPN-Endpoints will be used first
> because that's the first one in your configuration. If you had
>
> nat (inside) 2 access-list 2WEB
> nat (inside) 1 access-list 2VPN-Endpoints
>
> then 2WEB would be evaluated first because that would be the first one in the
configuration.

Thanks Walter, but how to invert, or better, how to specify order for nat. I
haven't tried still now but can I specify
the line as in commands for access-lists? I will try, but if you know please let
me know. Thanks,

Alex.


Posted by AM on March 15, 2005, 8:25 am
If you were  Registered and logged in, you could reply and use other advanced thread options
AM wrote:


> Thanks Walter, but how to invert, or better, how to specify order for
> nat. I haven't tried still now but can I specify the line as in commands
> for access-lists? I will try, but if you know please let me know. Thanks,
>
> Alex.

Perhaps removing all NATs and inserting new ones in wanted order? :)

Alex.


Posted by Walter Roberson on March 15, 2005, 8:42 am
If you were  Registered and logged in, you could reply and use other advanced thread options
:AM wrote:
:> Thanks Walter, but how to invert, or better, how to specify order for
:> nat. I haven't tried still now but can I specify the line as in commands
:> for access-lists? I will try, but if you know please let me know. Thanks,

:Perhaps removing all NATs and inserting new ones in wanted order? :)

Exactly. Either that or redefine the meaning of the access-lists ;-)
--
"[...] it's all part of one's right to be publicly stupid." -- Dave Smey


Similar ThreadsPosted
Multicast Question - urgent September 29, 2005, 1:33 am
ASA Policy NAT Question September 14, 2006, 9:12 am
Question about NAT (maybe need to use policy NAT)? June 30, 2008, 6:09 pm
QoS Policy Question & Recommendations November 12, 2004, 6:22 am
policy route-map question January 11, 2007, 10:54 am
Policy Based Routing Question November 13, 2005, 7:38 pm
Policy Routing: Guaranteeing Bandwidth Question March 27, 2007, 11:23 pm
policy based routing for multiple tracking options question April 9, 2006, 8:42 pm
route-map question (how to policy route for all destinations except few subnets?) August 13, 2005, 2:05 am
Need Urgent Help April 10, 2006, 6:41 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map