Pix 515E Disabling PAT

Discussion in 'Cisco' started by RG, May 7, 2012.

  1. RG

    RG Guest

    My goal is not to have cisco firewall alter the ports for internal
    clients as they are making outbound requests.

    I have already successfully setup this configuration using PAT. But,
    now I need to have port assignment preserved. I was trying trying to
    remove the global command. Then, I couldn't get outside at all.

    interface Ethernet1
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Ethernet2
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address 192.168.5.1 255.255.255.0
    !
    access-list workstations line 1 extended permit ip host 192.168.1.132
    global (outside) 1 interface
    nat (inside) 1 192.168.1.132 255.255.255.255
    access-group workstations in interface inside

    Thanks in advance
    RG, May 7, 2012
    #1
    1. Advertising

  2. On 07/05/2012 22:20, RG wrote:
    > My goal is not to have cisco firewall alter the ports for internal
    > clients as they are making outbound requests.
    >
    > I have already successfully setup this configuration using PAT. But, now
    > I need to have port assignment preserved. I was trying trying to remove
    > the global command. Then, I couldn't get outside at all.
    >


    You can get what you want with *nat exemption*.

    nat (inside) 0 192.168.1.132 255.255.255.255

    Delete all "global" command.


    Bye,
    marco
    Marco Giuliani, May 8, 2012
    #2
    1. Advertising

  3. RG

    RG Guest

    On 5/8/2012 3:37 AM, Marco Giuliani wrote:
    > On 07/05/2012 22:20, RG wrote:
    >> My goal is not to have cisco firewall alter the ports for internal
    >> clients as they are making outbound requests.
    >>
    >> I have already successfully setup this configuration using PAT. But, now
    >> I need to have port assignment preserved. I was trying trying to remove
    >> the global command. Then, I couldn't get outside at all.
    >>

    >
    > You can get what you want with *nat exemption*.
    >
    > nat (inside) 0 192.168.1.132 255.255.255.255
    >
    > Delete all "global" command.
    >
    >
    > Bye,
    > marco
    >
    >


    Thanks for your help. I did what you mentioned. When specifying "sh
    xlate", cisco shows - "Global 192.168.1.132 Local 192.168.1.132".
    Shouldn't the global ip show external interface ip? Looking at syslog,
    ie ping attempt, I am only seeing response to name resolution but that
    is not getting back to 192.168.1.132. Is there anything else I need to do?

    Syslog is not showing packets with source 192.168.1.132. It shows
    192.168.1.132 as destination.

    Thanks again
    RG, May 8, 2012
    #3
  4. RG

    RG Guest

    On 5/8/2012 3:37 AM, Marco Giuliani wrote:
    > On 07/05/2012 22:20, RG wrote:
    >> My goal is not to have cisco firewall alter the ports for internal
    >> clients as they are making outbound requests.
    >>
    >> I have already successfully setup this configuration using PAT. But, now
    >> I need to have port assignment preserved. I was trying trying to remove
    >> the global command. Then, I couldn't get outside at all.
    >>

    >
    > You can get what you want with *nat exemption*.
    >
    > nat (inside) 0 192.168.1.132 255.255.255.255
    >
    > Delete all "global" command.
    >
    >
    > Bye,
    > marco
    >
    >


    Thanks for your help. I did what you mentioned. When specifying "sh
    xlate", cisco shows - "Global 192.168.1.132 Local 192.168.1.132".
    Shouldn't the global ip show external interface ip? Looking at syslog,
    ie ping attempt, I am only seeing response to name resolution but that
    is not getting back to 192.168.1.132. Is there anything else I need to do?

    Syslog is not showing packets with source 192.168.1.132. It shows
    192.168.1.132 as destination.

    Thanks again
    RG, May 8, 2012
    #4
  5. On 08/05/2012 14:10, RG wrote:
    > When specifying "sh
    > xlate", cisco shows - "Global 192.168.1.132 Local 192.168.1.132".


    It's right with NAT 0 command.
    There is no address translation with nat exemption.


    > Shouldn't the global ip show external interface ip?


    No.

    If you want to show external interface ip you should use this configuration.


    nat (inside) 1 192.168.1.132 255.255.255.255
    global (outside) 1 interface


    However, you wrote "My goal is not to have cisco firewall alter the
    ports for internal clients as they are making outbound reques"

    Maybe, do you want NAT without PAT?
    Maybe I don't understand your needs. ;-)


    Looking at syslog,
    > ie ping attempt, I am only seeing response to name resolution but that
    > is not getting back to 192.168.1.132. Is there anything else I need to do?
    >
    > Syslog is not showing packets with source 192.168.1.132. It shows
    > 192.168.1.132 as destination.
    >


    Can you explain your network scheme?


    x.x.x.x/x

    outside pix ip address

    PIX

    inside pix ip address

    192.168.1.0/24


    bye,
    marco
    Marco Giuliani, May 9, 2012
    #5
  6. RG

    RG Guest

    On 5/9/2012 4:02 AM, Marco Giuliani wrote:
    > On 08/05/2012 14:10, RG wrote:
    >> When specifying "sh
    >> xlate", cisco shows - "Global 192.168.1.132 Local 192.168.1.132".

    >
    > It's right with NAT 0 command.
    > There is no address translation with nat exemption.
    >
    >
    >> Shouldn't the global ip show external interface ip?

    >
    > No.
    >
    > If you want to show external interface ip you should use this
    > configuration.
    >
    >
    > nat (inside) 1 192.168.1.132 255.255.255.255
    > global (outside) 1 interface
    >


    The problem with this is if I am a client behind the firewall ie
    192.168.1.132 port 30456 connecting to server outside of the firewall ie
    192.168.5.30 port 5060. I would like that the ip/port appearing to the
    server should be the external ip of the firewall preserving original
    port number ie 192.168.5.1 port 30456.

    Now that you explain to me, when configuring exemption, I suppose,
    firewall is routing packets. In that case, the server never had a
    return route. I just changed it and it works.

    Is there a way to do this with just NAT and no PAT? Can you use static
    statements for outbound connections? If so, how?

    Thanks for all your help
    RG, May 9, 2012
    #6
  7. On 09/05/2012 22:38, RG wrote:

    > The problem with this is if I am a client behind the firewall ie
    > 192.168.1.132 port 30456 connecting to server outside of the firewall ie
    > 192.168.5.30 port 5060. I would like that the ip/port appearing to the
    > server should be the external ip of the firewall preserving original
    > port number ie 192.168.5.1 port 30456.
    >
    > Now that you explain to me, when configuring exemption, I suppose,
    > firewall is routing packets.

    Yes. You're right.

    In that case, the server never had a return
    > route. I just changed it and it works.
    >

    ok.
    > Is there a way to do this with just NAT and no PAT? Can you use static
    > statements for outbound connections? If so, how?



    static (inside,outside) 192.168.5.132 192.168.1.132

    "Static NAT allows bidirectional connection initiation, both to and from
    the host (if an access rule exists that allows it). With dynamic NAT and
    PAT, on the other hand, each host uses a different address or port for
    each subsequent translation, so bidirectional initiation is not supported."

    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1094702


    On the other hand, Everytime you map many real address (e.g. inside
    subnet 192.168.1.0/24) to a single global address (e.g. interface public
    address), pix firewall do port address traslation.

    nat (inside) 1 192.168.1.0 255.255.255.0

    global (outside) 1 interface

    Bye,
    marco
    Marco Giuliani, May 10, 2012
    #7
  8. RG

    RG Guest

    On 5/10/2012 10:20 AM, Marco Giuliani wrote:
    > On 09/05/2012 22:38, RG wrote:
    >
    >> The problem with this is if I am a client behind the firewall ie
    >> 192.168.1.132 port 30456 connecting to server outside of the firewall ie
    >> 192.168.5.30 port 5060. I would like that the ip/port appearing to the
    >> server should be the external ip of the firewall preserving original
    >> port number ie 192.168.5.1 port 30456.
    >>
    >> Now that you explain to me, when configuring exemption, I suppose,
    >> firewall is routing packets.

    > Yes. You're right.
    >
    > In that case, the server never had a return
    >> route. I just changed it and it works.
    >>

    > ok.
    >> Is there a way to do this with just NAT and no PAT? Can you use static
    >> statements for outbound connections? If so, how?

    >
    >
    > static (inside,outside) 192.168.5.132 192.168.1.132
    >
    > "Static NAT allows bidirectional connection initiation, both to and from
    > the host (if an access rule exists that allows it). With dynamic NAT and
    > PAT, on the other hand, each host uses a different address or port for
    > each subsequent translation, so bidirectional initiation is not supported."
    >
    > http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1094702
    >
    >
    >
    > On the other hand, Everytime you map many real address (e.g. inside
    > subnet 192.168.1.0/24) to a single global address (e.g. interface public
    > address), pix firewall do port address traslation.
    >
    > nat (inside) 1 192.168.1.0 255.255.255.0
    >
    > global (outside) 1 interface
    >
    > Bye,
    > marco



    This is excellent. Thanks for all your help.
    RG, May 11, 2012
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BinSur
    Replies:
    4
    Views:
    5,770
    BinSur
    Jan 13, 2006
  2. Michiel
    Replies:
    4
    Views:
    4,628
    Michiel
    Aug 22, 2006
  3. Michiel
    Replies:
    2
    Views:
    756
    Michiel
    Aug 22, 2006
  4. Michiel
    Replies:
    19
    Views:
    1,102
    Michiel
    Aug 24, 2006
  5. Michiel
    Replies:
    0
    Views:
    2,261
    Michiel
    Aug 25, 2006
Loading...

Share This Page