<> wrote in message
news: oups.com...
> Hi,
>
> I would like to secure an inbound access-list on a PIX 525 running
> software version 8.
>
> Hosts on the outside will connect to 3 servers on the inside for WWW.
>
> This will involve an explicit access rule and NAT.
>
> The servers are named and grouped:
>
> name 192.168.1.1 SERVER1
> name 192.168.1.2 SERVER2
> name 192.168.1.3 SERVER3
>
> object-group network SERVERS
> network-object host SERVER1
> network-object host SERVER2
> network-object host SERVER3
>
> Static NAT is used to map the outside 10.x.x.x addresses to 192.x.x.x.
> on the inside:
>
> static (inside,outside) 10.10.10.1 SERVER1 netmask 255.255.255.255
> static (inside,outside) 10.10.10.2 SERVER2 netmask 255.255.255.255
> static (inside,outside) 10.10.10.3 SERVER3 netmask 255.255.255.255
>
> I have then created an access-list to permit access to the SERVERS
> network-group:
>
> access-list outside_access_in extended permit tcp any object-group
> SERVERS eq http
>
> For some reason when external users connect to the outside 10.x.x.x
> they are not permitted. I'm guessing this because the access-list
> mentions the INSIDE names - not the OUTSIDE NAT addresses. I suppose
> my question is what order is the traffic processed? NAT or access-
> list?
>
> Should my network group really contain the OUTSIDE NAT addresses of
> the servers?
>
> Many thanks,
>
> Paul
>
The access-group is processed before the NAT , so yes your network group
should contain the translated addresses.
|
Similar Threads
