«

My goal is not to have cisco firewall alter the ports for internal
clients as they are making outbound requests.

I have already successfully setup this configuration using PAT. But,
now I need to have port assignment preserved. I was trying trying to
remove the global command. Then, I couldn't get outside at all.

interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
speed 100
duplex full
nameif outside
security-level 0
ip address 192.168.5.1 255.255.255.0
!
access-list workstations line 1 extended permit ip host 192.168.1.132
global (outside) 1 interface
nat (inside) 1 192.168.1.132 255.255.255.255
access-group workstations in interface inside

Thanks in advance

On 07/05/2012 22:20, RG wrote:
> My goal is not to have cisco firewall alter the ports for internal
> clients as they are making outbound requests.
>
> I have already successfully setup this configuration using PAT. But, now
> I need to have port assignment preserved. I was trying trying to remove
> the global command. Then, I couldn't get outside at all.
>

You can get what you want with *nat exemption*.

nat (inside) 0 192.168.1.132 255.255.255.255

Delete all "global" command.


Bye,
marco

On 5/8/2012 3:37 AM, Marco Giuliani wrote:
> On 07/05/2012 22:20, RG wrote:
>> My goal is not to have cisco firewall alter the ports for internal
>> clients as they are making outbound requests.
>>
>> I have already successfully setup this configuration using PAT. But, now
>> I need to have port assignment preserved. I was trying trying to remove
>> the global command. Then, I couldn't get outside at all.
>>
>
> You can get what you want with *nat exemption*.
>
> nat (inside) 0 192.168.1.132 255.255.255.255
>
> Delete all "global" command.
>
>
> Bye,
> marco
>
>

Thanks for your help. I did what you mentioned. When specifying "sh
xlate", cisco shows - "Global 192.168.1.132 Local 192.168.1.132".
Shouldn't the global ip show external interface ip? Looking at syslog,
ie ping attempt, I am only seeing response to name resolution but that
is not getting back to 192.168.1.132. Is there anything else I need to do?

Syslog is not showing packets with source 192.168.1.132. It shows
192.168.1.132 as destination.

Thanks again

On 5/8/2012 3:37 AM, Marco Giuliani wrote:
> On 07/05/2012 22:20, RG wrote:
>> My goal is not to have cisco firewall alter the ports for internal
>> clients as they are making outbound requests.
>>
>> I have already successfully setup this configuration using PAT. But, now
>> I need to have port assignment preserved. I was trying trying to remove
>> the global command. Then, I couldn't get outside at all.
>>
>
> You can get what you want with *nat exemption*.
>
> nat (inside) 0 192.168.1.132 255.255.255.255
>
> Delete all "global" command.
>
>
> Bye,
> marco
>
>

Thanks for your help. I did what you mentioned. When specifying "sh
xlate", cisco shows - "Global 192.168.1.132 Local 192.168.1.132".
Shouldn't the global ip show external interface ip? Looking at syslog,
ie ping attempt, I am only seeing response to name resolution but that
is not getting back to 192.168.1.132. Is there anything else I need to do?

Syslog is not showing packets with source 192.168.1.132. It shows
192.168.1.132 as destination.

Thanks again

On 08/05/2012 14:10, RG wrote:
> When specifying "sh
> xlate", cisco shows - "Global 192.168.1.132 Local 192.168.1.132".

It's right with NAT 0 command.
There is no address translation with nat exemption.


> Shouldn't the global ip show external interface ip?

No.

If you want to show external interface ip you should use this configuration.


nat (inside) 1 192.168.1.132 255.255.255.255
global (outside) 1 interface


However, you wrote "My goal is not to have cisco firewall alter the
ports for internal clients as they are making outbound reques"

Maybe, do you want NAT without PAT?
Maybe I don't understand your needs.


Looking at syslog,
> ie ping attempt, I am only seeing response to name resolution but that
> is not getting back to 192.168.1.132. Is there anything else I need to do?
>
> Syslog is not showing packets with source 192.168.1.132. It shows
> 192.168.1.132 as destination.
>

Can you explain your network scheme?


x.x.x.x/x

outside pix ip address

PIX

inside pix ip address

192.168.1.0/24


bye,
marco

On 5/9/2012 4:02 AM, Marco Giuliani wrote:
> On 08/05/2012 14:10, RG wrote:
>> When specifying "sh
>> xlate", cisco shows - "Global 192.168.1.132 Local 192.168.1.132".
>
> It's right with NAT 0 command.
> There is no address translation with nat exemption.
>
>
>> Shouldn't the global ip show external interface ip?
>
> No.
>
> If you want to show external interface ip you should use this
> configuration.
>
>
> nat (inside) 1 192.168.1.132 255.255.255.255
> global (outside) 1 interface
>

The problem with this is if I am a client behind the firewall ie
192.168.1.132 port 30456 connecting to server outside of the firewall ie
192.168.5.30 port 5060. I would like that the ip/port appearing to the
server should be the external ip of the firewall preserving original
port number ie 192.168.5.1 port 30456.

Now that you explain to me, when configuring exemption, I suppose,
firewall is routing packets. In that case, the server never had a
return route. I just changed it and it works.

Is there a way to do this with just NAT and no PAT? Can you use static
statements for outbound connections? If so, how?

Thanks for all your help

On 09/05/2012 22:38, RG wrote:

> The problem with this is if I am a client behind the firewall ie
> 192.168.1.132 port 30456 connecting to server outside of the firewall ie
> 192.168.5.30 port 5060. I would like that the ip/port appearing to the
> server should be the external ip of the firewall preserving original
> port number ie 192.168.5.1 port 30456.
>
> Now that you explain to me, when configuring exemption, I suppose,
> firewall is routing packets.
Yes. You're right.

In that case, the server never had a return
> route. I just changed it and it works.
>
ok.
> Is there a way to do this with just NAT and no PAT? Can you use static
> statements for outbound connections? If so, how?


static (inside,outside) 192.168.5.132 192.168.1.132

"Static NAT allows bidirectional connection initiation, both to and from
the host (if an access rule exists that allows it). With dynamic NAT and
PAT, on the other hand, each host uses a different address or port for
each subsequent translation, so bidirectional initiation is not supported."

http://www.cisco.com/en/US/docs/secu...html#wp1094702


On the other hand, Everytime you map many real address (e.g. inside
subnet 192.168.1.0/24) to a single global address (e.g. interface public
address), pix firewall do port address traslation.

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface

Bye,
marco

On 5/10/2012 10:20 AM, Marco Giuliani wrote:
> On 09/05/2012 22:38, RG wrote:
>
>> The problem with this is if I am a client behind the firewall ie
>> 192.168.1.132 port 30456 connecting to server outside of the firewall ie
>> 192.168.5.30 port 5060. I would like that the ip/port appearing to the
>> server should be the external ip of the firewall preserving original
>> port number ie 192.168.5.1 port 30456.
>>
>> Now that you explain to me, when configuring exemption, I suppose,
>> firewall is routing packets.
> Yes. You're right.
>
> In that case, the server never had a return
>> route. I just changed it and it works.
>>
> ok.
>> Is there a way to do this with just NAT and no PAT? Can you use static
>> statements for outbound connections? If so, how?
>
>
> static (inside,outside) 192.168.5.132 192.168.1.132
>
> "Static NAT allows bidirectional connection initiation, both to and from
> the host (if an access rule exists that allows it). With dynamic NAT and
> PAT, on the other hand, each host uses a different address or port for
> each subsequent translation, so bidirectional initiation is not supported."
>
> http://www.cisco.com/en/US/docs/secu...html#wp1094702
>
>
>
> On the other hand, Everytime you map many real address (e.g. inside
> subnet 192.168.1.0/24) to a single global address (e.g. interface public
> address), pix firewall do port address traslation.
>
> nat (inside) 1 192.168.1.0 255.255.255.0
>
> global (outside) 1 interface
>
> Bye,
> marco


This is excellent. Thanks for all your help.