PIX access-lists and static NAT

Discussion in 'Cisco' started by thefunnel@aol.com, Oct 15, 2007.

  1. Guest

    Hi,

    I would like to secure an inbound access-list on a PIX 525 running
    software version 8.

    Hosts on the outside will connect to 3 servers on the inside for WWW.

    This will involve an explicit access rule and NAT.

    The servers are named and grouped:

    name 192.168.1.1 SERVER1
    name 192.168.1.2 SERVER2
    name 192.168.1.3 SERVER3

    object-group network SERVERS
    network-object host SERVER1
    network-object host SERVER2
    network-object host SERVER3

    Static NAT is used to map the outside 10.x.x.x addresses to 192.x.x.x.
    on the inside:

    static (inside,outside) 10.10.10.1 SERVER1 netmask 255.255.255.255
    static (inside,outside) 10.10.10.2 SERVER2 netmask 255.255.255.255
    static (inside,outside) 10.10.10.3 SERVER3 netmask 255.255.255.255

    I have then created an access-list to permit access to the SERVERS
    network-group:

    access-list outside_access_in extended permit tcp any object-group
    SERVERS eq http

    For some reason when external users connect to the outside 10.x.x.x
    they are not permitted. I'm guessing this because the access-list
    mentions the INSIDE names - not the OUTSIDE NAT addresses. I suppose
    my question is what order is the traffic processed? NAT or access-
    list?

    Should my network group really contain the OUTSIDE NAT addresses of
    the servers?

    Many thanks,

    Paul
    , Oct 15, 2007
    #1
    1. Advertising

  2. mcaissie Guest

    <> wrote in message
    news:...
    > Hi,
    >
    > I would like to secure an inbound access-list on a PIX 525 running
    > software version 8.
    >
    > Hosts on the outside will connect to 3 servers on the inside for WWW.
    >
    > This will involve an explicit access rule and NAT.
    >
    > The servers are named and grouped:
    >
    > name 192.168.1.1 SERVER1
    > name 192.168.1.2 SERVER2
    > name 192.168.1.3 SERVER3
    >
    > object-group network SERVERS
    > network-object host SERVER1
    > network-object host SERVER2
    > network-object host SERVER3
    >
    > Static NAT is used to map the outside 10.x.x.x addresses to 192.x.x.x.
    > on the inside:
    >
    > static (inside,outside) 10.10.10.1 SERVER1 netmask 255.255.255.255
    > static (inside,outside) 10.10.10.2 SERVER2 netmask 255.255.255.255
    > static (inside,outside) 10.10.10.3 SERVER3 netmask 255.255.255.255
    >
    > I have then created an access-list to permit access to the SERVERS
    > network-group:
    >
    > access-list outside_access_in extended permit tcp any object-group
    > SERVERS eq http
    >
    > For some reason when external users connect to the outside 10.x.x.x
    > they are not permitted. I'm guessing this because the access-list
    > mentions the INSIDE names - not the OUTSIDE NAT addresses. I suppose
    > my question is what order is the traffic processed? NAT or access-
    > list?
    >
    > Should my network group really contain the OUTSIDE NAT addresses of
    > the servers?
    >
    > Many thanks,
    >
    > Paul
    >





    The access-group is processed before the NAT , so yes your network group
    should contain the translated addresses.
    mcaissie, Oct 15, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. J Bard
    Replies:
    2
    Views:
    4,004
    J Bard
    Jan 10, 2004
  2. Ronald de Leeuw
    Replies:
    2
    Views:
    14,164
  3. wtpandar

    policy nat and static NAt

    wtpandar, Sep 12, 2006, in forum: Cisco
    Replies:
    0
    Views:
    723
    wtpandar
    Sep 12, 2006
  4. Replies:
    1
    Views:
    469
    Brian V
    Sep 22, 2007
  5. JF Mezei
    Replies:
    0
    Views:
    1,020
    JF Mezei
    Jan 22, 2010
Loading...

Share This Page