PIX 515 - NAT implenetation really that stupid?

Discussion in 'Cisco' started by Patrick M. Hausen, Jul 12, 2004.

  1. Hello!

    I'm still having a little difficulty understanding the PIX OS
    concepts with respect to NATing and ICMP.

    From what I've found in the documentation it is necessary to
    configure a static one-to-one NAT mapping if you want an internal
    host or one in a DMZ to be able to ping hosts on the outside
    network.

    How can I enable _all_ internal hosts to be able to ping external
    hosts?

    I mean, the cheapest IOS router even without a firewall feature set
    can do it like this:

    int eth0
    ip nat outside
    int fa0
    ip nat inside
    ip nat inside source list <something> interface eth0 overload
    access-list <something> permit <internal network>

    Finished! How can I achieve this with a PIX?


    Next problem: I need to have multiple addresses (same subnet)
    on the outside interface and forward incoming connections on
    e.g. port 443 to a server in one DMZ for the first address
    and to another server in another DMZ for the second address and
    so on. Is this at all possible? Again it's trivial with IOS.
    I'm getting the impression that an IOS firewall feature set is
    much more feature rich than the PIX.


    If you need a more detailed description to give helpful answers,
    I will of course be happy to provide them. But I think that I'm
    missing some general concepts here and not just the magic command
    that will let me do the right thing. And of course I did RTFM.
    I have more than 10 years experience with IOS and various firewalls
    - but not with the PIX until now. Hence the provocative subject line ;-)
    Maybe insert "limited" for "stupid".

    Thanks a lot,
    Patrick

    +-----------------------------------+
    | EuroBSDCon 2004 in Karlsruhe! |
    | 29. - 31. 10. 2004 |
    | http://www.eurobsdcon2004.de/ |
    +-----------------------------------+

    --
    punkt.de GmbH Internet - Dienstleistungen - Beratung
    Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe http://punkt.de
     
    Patrick M. Hausen, Jul 12, 2004
    #1
    1. Advertising

  2. Patrick M. Hausen

    News Account Guest

    http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration

    HTH

    "Patrick M. Hausen" <> wrote in message
    news:...
    > Hello!
    >
    > I'm still having a little difficulty understanding the PIX OS
    > concepts with respect to NATing and ICMP.
    >
    > From what I've found in the documentation it is necessary to
    > configure a static one-to-one NAT mapping if you want an internal
    > host or one in a DMZ to be able to ping hosts on the outside
    > network.
    >
    > How can I enable _all_ internal hosts to be able to ping external
    > hosts?
    >
    > I mean, the cheapest IOS router even without a firewall feature set
    > can do it like this:
    >
    > int eth0
    > ip nat outside
    > int fa0
    > ip nat inside
    > ip nat inside source list <something> interface eth0 overload
    > access-list <something> permit <internal network>
    >
    > Finished! How can I achieve this with a PIX?
    >
    >
    > Next problem: I need to have multiple addresses (same subnet)
    > on the outside interface and forward incoming connections on
    > e.g. port 443 to a server in one DMZ for the first address
    > and to another server in another DMZ for the second address and
    > so on. Is this at all possible? Again it's trivial with IOS.
    > I'm getting the impression that an IOS firewall feature set is
    > much more feature rich than the PIX.
    >
    >
    > If you need a more detailed description to give helpful answers,
    > I will of course be happy to provide them. But I think that I'm
    > missing some general concepts here and not just the magic command
    > that will let me do the right thing. And of course I did RTFM.
    > I have more than 10 years experience with IOS and various firewalls
    > - but not with the PIX until now. Hence the provocative subject line ;-)
    > Maybe insert "limited" for "stupid".
    >
    > Thanks a lot,
    > Patrick
    >
    > +-----------------------------------+
    > | EuroBSDCon 2004 in Karlsruhe! |
    > | 29. - 31. 10. 2004 |
    > | http://www.eurobsdcon2004.de/ |
    > +-----------------------------------+
    >
    > --
    > punkt.de GmbH Internet - Dienstleistungen - Beratung
    > Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
    > 76137 Karlsruhe http://punkt.de
     
    News Account, Jul 12, 2004
    #2
    1. Advertising

  3. Patrick M. Hausen

    Jens Haase Guest

    Hello,

    "Patrick M. Hausen" <> schrieb im Newsbeitrag
    news:...
    > Hello!
    >
    > I'm still having a little difficulty understanding the PIX OS
    > concepts with respect to NATing and ICMP.
    >
    > From what I've found in the documentation it is necessary to
    > configure a static one-to-one NAT mapping if you want an internal
    > host or one in a DMZ to be able to ping hosts on the outside
    > network.
    >
    > How can I enable _all_ internal hosts to be able to ping external
    > hosts?


    access-list acl_out permit icmp any any echo-reply
    access-group acl_out in interface outside

    In order to be able to ping the Interfaces of the Pix use:

    icmp permit

    Usage: [no] icmp permit|deny <ip-address> <net-mask> [<icmp-type>]
    <if-name>
    [clear|show] icmp


    >
    > I mean, the cheapest IOS router even without a firewall feature set
    > can do it like this:
    >
    > int eth0
    > ip nat outside
    > int fa0
    > ip nat inside
    > ip nat inside source list <something> interface eth0 overload
    > access-list <something> permit <internal network>
    >
    > Finished! How can I achieve this with a PIX?
    >
    >
    > Next problem: I need to have multiple addresses (same subnet)
    > on the outside interface and forward incoming connections on
    > e.g. port 443 to a server in one DMZ for the first address
    > and to another server in another DMZ for the second address and
    > so on. Is this at all possible? Again it's trivial with IOS.
    > I'm getting the impression that an IOS firewall feature set is
    > much more feature rich than the PIX.
    >

    I think you are refering to a static.

    Usage: [no] static [(real_ifc, mapped_ifc)]
    {<mapped_ip>|interface}
    {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
    [dns] [norandomseq] [<max_conns> [<emb_lim>]]
    [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
    {<mapped_ip>|interface} <mapped_port>
    {<real_ip> <real_port> [netmask <mask>]} |
    {access-list <acl_name>}
    [dns] [norandomseq] [<max_conns> [<emb_lim>]]

    Example:

    You have 192.168.1.1 and 192.168.2.2 on the outside and want to have
    192.168.1.1:443 go to 10.1.1.1:443 and 192.168.1.2 go to 172.16.1.1:443 you
    would do this:

    static (inside, outside) tcp 192.168.1.1 443 10.1.1.1 443 netmask
    255.255.255.255
    static (inside, outside) tcp 192.168.1.2 443 172.16.1.1 443 netmask
    255.255.255.255

    and do not forget the access-list:

    access-list acl_out permit tcp any host 192.168.1.1 eq 443
    access-list acl_out permit tcp any host 192.168.1.2 eq 443
    access-list acl_out in interface outside

    I hope this is what you meant.

    Jens


    >
    > If you need a more detailed description to give helpful answers,
    > I will of course be happy to provide them. But I think that I'm
    > missing some general concepts here and not just the magic command
    > that will let me do the right thing. And of course I did RTFM.
    > I have more than 10 years experience with IOS and various firewalls
    > - but not with the PIX until now. Hence the provocative subject line ;-)
    > Maybe insert "limited" for "stupid".
    >
    > Thanks a lot,
    > Patrick
    >
    > +-----------------------------------+
    > | EuroBSDCon 2004 in Karlsruhe! |
    > | 29. - 31. 10. 2004 |
    > | http://www.eurobsdcon2004.de/ |
    > +-----------------------------------+
    >
    > --
    > punkt.de GmbH Internet - Dienstleistungen - Beratung
    > Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
    > 76137 Karlsruhe http://punkt.de
     
    Jens Haase, Jul 12, 2004
    #3
  4. Hello!

    Jens Haase <> wrote:

    > > How can I enable _all_ internal hosts to be able to ping external
    > > hosts?

    >
    > access-list acl_out permit icmp any any echo-reply
    > access-group acl_out in interface outside


    I already have this configured, doesn't work.

    access-list outside_access_in permit icmp any any echo-reply
    access-group outside_access_in in interface outside

    When I try to ping an external host from inside, I'm getting this
    log message:

    Jul 12 17:21:53 172.21.0.1 %PIX-4-106023: Deny icmp src inside:Laptop_Hausen dst outside:217.29.32.134 (type 8, code 0) by access-group "inside_access_in"

    When I try to explicitely permit outgoing ICMP echo _requests_, the PDM
    tells me that I would need a static NAT entry for that. So I got the
    impression that I needed one-to-one NAT mappings for ICMP.

    > You have 192.168.1.1 and 192.168.2.2 on the outside and want to have
    > 192.168.1.1:443 go to 10.1.1.1:443 and 192.168.1.2 go to 172.16.1.1:443 you
    > would do this:
    >
    > static (inside, outside) tcp 192.168.1.1 443 10.1.1.1 443 netmask
    > 255.255.255.255
    > static (inside, outside) tcp 192.168.1.2 443 172.16.1.1 443 netmask
    > 255.255.255.255


    Does that imply the PIX will automagically start answering ARP requests
    for 192.168.1.2 in addition to its primary interface address 192.168.1.1
    on the outside interface? I've been searching for hours for a way to
    explicitely configure "secondary" addresses on the PIX.
    If it just "does the right thing" once the static NAT is in place, then
    yes - this is exactly what I need.

    > and do not forget the access-list:
    >
    > access-list acl_out permit tcp any host 192.168.1.1 eq 443
    > access-list acl_out permit tcp any host 192.168.1.2 eq 443
    > access-list acl_out in interface outside


    Of course ;-)

    Thanks a lot,

    Patrick M. Hausen
    Leiter Netzwerke und Sicherheit

    +-----------------------------------+
    | EuroBSDCon 2004 in Karlsruhe! |
    | 29. - 31. 10. 2004 |
    | http://www.eurobsdcon2004.de/ |
    +-----------------------------------+

    --
    punkt.de GmbH Internet - Dienstleistungen - Beratung
    Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe http://punkt.de
     
    Patrick M. Hausen, Jul 12, 2004
    #4
  5. Patrick M. Hausen

    Jens Haase Guest

    "Patrick M. Hausen" <> schrieb im Newsbeitrag
    news:...
    > Hello!
    >
    > Jens Haase <> wrote:
    >
    > > > How can I enable _all_ internal hosts to be able to ping external
    > > > hosts?

    > >
    > > access-list acl_out permit icmp any any echo-reply
    > > access-group acl_out in interface outside

    >
    > I already have this configured, doesn't work.
    >
    > access-list outside_access_in permit icmp any any echo-reply
    > access-group outside_access_in in interface outside
    >
    > When I try to ping an external host from inside, I'm getting this
    > log message:
    >
    > Jul 12 17:21:53 172.21.0.1 %PIX-4-106023: Deny icmp src

    inside:Laptop_Hausen dst outside:217.29.32.134 (type 8, code 0) by
    access-group "inside_access_in"
    >

    This tells us, that your inside access-list blocks icmp echo requests

    So you have to say

    access-list inside_access_in permit icmp any any echo
    access-group inside_access_in in interface inside



    > When I try to explicitely permit outgoing ICMP echo _requests_, the PDM
    > tells me that I would need a static NAT entry for that. So I got the
    > impression that I needed one-to-one NAT mappings for ICMP.
    >

    The Documentation on this link states the same:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

    but in my scenario I do not have a static and when I ping any IP on the
    Internet the PIX adds an xlate for it:

    fw01# sh xlate detail
    7 in use, 272 most used
    Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
    o - outside, r - portmap, s - static
    ICMP PAT from inside:192.168.1.16/1024 to outside:80.141.142.2/2 flags r

    If you work with IOS for 10years, I assume you are not using this windows
    configuration tool they are shiping (it is called Fast Step or so).
    My suggestion is forget PDM and get used to PIXOS. It is pretty close to
    IOS.


    > > You have 192.168.1.1 and 192.168.2.2 on the outside and want to have
    > > 192.168.1.1:443 go to 10.1.1.1:443 and 192.168.1.2 go to 172.16.1.1:443

    you
    > > would do this:
    > >
    > > static (inside, outside) tcp 192.168.1.1 443 10.1.1.1 443 netmask
    > > 255.255.255.255
    > > static (inside, outside) tcp 192.168.1.2 443 172.16.1.1 443 netmask
    > > 255.255.255.255

    >
    > Does that imply the PIX will automagically start answering ARP requests
    > for 192.168.1.2 in addition to its primary interface address 192.168.1.1
    > on the outside interface? I've been searching for hours for a way to
    > explicitely configure "secondary" addresses on the PIX.
    > If it just "does the right thing" once the static NAT is in place, then
    > yes - this is exactly what I need.
    >


    The static command in PIX is comparable to the "ip nat source static" in
    IOS.
    What exactly do you want to do with the secondary address?

    You can also drop me a Email in German to discuss this Problem, if you want.

    Jens




    > > and do not forget the access-list:
    > >
    > > access-list acl_out permit tcp any host 192.168.1.1 eq 443
    > > access-list acl_out permit tcp any host 192.168.1.2 eq 443
    > > access-list acl_out in interface outside

    >
    > Of course ;-)
    >
    > Thanks a lot,
    >
    > Patrick M. Hausen
    > Leiter Netzwerke und Sicherheit
    >
    > +-----------------------------------+
    > | EuroBSDCon 2004 in Karlsruhe! |
    > | 29. - 31. 10. 2004 |
    > | http://www.eurobsdcon2004.de/ |
    > +-----------------------------------+
    >
    > --
    > punkt.de GmbH Internet - Dienstleistungen - Beratung
    > Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
    > 76137 Karlsruhe http://punkt.de
     
    Jens Haase, Jul 12, 2004
    #5
  6. In article <>,
    Patrick M. Hausen <> wrote:
    :When I try to explicitely permit outgoing ICMP echo _requests_, the PDM
    :tells me that I would need a static NAT entry for that. So I got the
    :impression that I needed one-to-one NAT mappings for ICMP.

    You don't need a static NAT, but you do need some kind of address
    translation. Does your configuration have a nat / global pair
    mapping inside addresses to outside? e.g.,

    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    global (outside) 1 interface
    --
    IEA408I: GETMAIN cannot provide buffer for WATLIB.
     
    Walter Roberson, Jul 12, 2004
    #6
  7. Solved: PIX 515 - NAT implenetation really that stupid?

    Patrick M. Hausen <> wrote:
    > Jens Haase <> wrote:
    >
    > > > How can I enable _all_ internal hosts to be able to ping external
    > > > hosts?

    > >
    > > access-list acl_out permit icmp any any echo-reply
    > > access-group acl_out in interface outside

    >
    > I already have this configured, doesn't work.
    >
    > access-list outside_access_in permit icmp any any echo-reply
    > access-group outside_access_in in interface outside
    >
    > When I try to ping an external host from inside, I'm getting this
    > log message:
    >
    > Jul 12 17:21:53 172.21.0.1 %PIX-4-106023: Deny icmp src inside:Laptop_Hausen dst outside:217.29.32.134 (type 8, code 0) by access-group "inside_access_in"
    >
    > When I try to explicitely permit outgoing ICMP echo _requests_, the PDM
    > tells me that I would need a static NAT entry for that. So I got the
    > impression that I needed one-to-one NAT mappings for ICMP.


    If I manually configure the necessary access rules without PDM,
    everything works as Jens pointed out. Seems like the documentation
    and PDM are the parts that are stupid/limited.

    > > static (inside, outside) tcp 192.168.1.1 443 10.1.1.1 443 netmask
    > > 255.255.255.255
    > > static (inside, outside) tcp 192.168.1.2 443 172.16.1.1 443 netmask
    > > 255.255.255.255

    >
    > Does that imply the PIX will automagically start answering ARP requests
    > for 192.168.1.2 in addition to its primary interface address 192.168.1.1
    > on the outside interface? I've been searching for hours for a way to
    > explicitely configure "secondary" addresses on the PIX.
    > If it just "does the right thing" once the static NAT is in place, then
    > yes - this is exactly what I need.


    The PIX does the right thing, _if_ proxy ARP is enabled on the
    outside interface - answering my question.

    Thanks for the help,

    Patrick M. Hausen
    Leiter Netzwerke und Sicherheit

    +-----------------------------------+
    | EuroBSDCon 2004 in Karlsruhe! |
    | 29. - 31. 10. 2004 |
    | http://www.eurobsdcon2004.de/ |
    +-----------------------------------+

    --
    punkt.de GmbH Internet - Dienstleistungen - Beratung
    Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe http://punkt.de
     
    Patrick M. Hausen, Jul 13, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. kpg

    stupid stupid stupid

    kpg, Oct 26, 2004, in forum: MCSE
    Replies:
    17
    Views:
    874
    T-Bone
    Nov 26, 2004
  2. Scott Townsend
    Replies:
    8
    Views:
    752
    Roman Nakhmanson
    Feb 22, 2006
  3. =?ISO-8859-1?Q?R=F4g=EAr?=
    Replies:
    6
    Views:
    816
  4. Michael P Gabriel

    Stupid is as Stupid Does!

    Michael P Gabriel, Jun 24, 2004, in forum: Digital Photography
    Replies:
    3
    Views:
    413
    stewy
    Jun 26, 2004
  5. Stephen M
    Replies:
    1
    Views:
    726
    mcaissie
    Nov 14, 2006
Loading...

Share This Page