PIX Nat0 proxy arp?

Discussion in 'Cisco' started by Michael Letchworth, Dec 26, 2004.

  1. What is the difference when using NAT 0 with an access list and without. I
    not sure what proxy arp would do as far which would have any advantages we
    could take advantage of?
     
    Michael Letchworth, Dec 26, 2004
    #1
    1. Advertising

  2. In article <Whszd.3351$2_4.177@okepread06>,
    Michael Letchworth <> wrote:
    :What is the difference when using NAT 0 with an access list and without. I
    :not sure what proxy arp would do as far which would have any advantages we
    :could take advantage of?

    Besides the obvious answer that nat 0 with an access list can be
    selective about the flows that are exempted from nat, there are
    two important differences: 1) that nat 0 with an access-list never
    does proxy arp on behalf of the NAT'd addresses; and 2) that nat 0
    with an access-list has the side effect of allowing new connections
    to the destinations if the outside ACL permits those connections.
    When you use nat 0 with an access-list, you do not need to also use
    a static to allow those flows.

    nat 0 without an access-list does not have the same side effect:
    if you want to allow new connections inward without address
    translation, then you have to use "identity NAT" by static'ing
    the flow to itself... which effectively overrides that nat 0 with
    respect to that flow.


    In the normal course of events, if you haven't turned proxy arp
    off and are not using nat 0 access-ist, then when a host
    (or router) in the same broadcast domain as the PIX sends out
    an ARP request asking what the MAC address for a particular IP,
    if there is an existing flow or if there is a static for the
    target IP, then when the PIX hears the ARP broadcast it will
    reply with the PIX's own MAC address; indeed, the PIX will
    reply on behalf of static'd IPs even if the IP range is completely
    different than the IP range of the PIX's outside interface.
    The host (or router) will receive the ARP reply and will then know
    where to send packets to [the PIX] in order to reach the target IP
    address.

    If you turn off proxy arp, or if you use nat 0 with an access list
    that matches an incoming request, then the PIX will -not- send ARP
    replies on behalf of the IP. And that means that the host or
    router will not be able to discover how to get the packets to
    target IP via the PIX. In such cases, the packets will not reach
    their proper target *unless* the host (or router) has been
    specifically instructed to *route* traffic for those IPs to
    the PIX. That takes more configuration work to handle -- and
    requires that the outside router exist, rather than (say) just
    being able to connect your PIX to your broadband modem.

    If you have an outside router, then you are better off routing
    the IPs to the PIX rather than relying on proxy arp; conversely,
    if the IPs are being routed, you can turn proxy arp off on the PIX.

    Probably the most common use of nat 0 access-list is in conjunction
    with VPN tunnels. When you have a VPN tunnel, the machine that
    knows the destination IP might be considerably remote from the
    destination; it wouldn't be very useful to have a VPN tunnel
    source do an ARP for (say) 192.168.2.5 through the PIX outside interface
    when 192.168.2.5 is an internal address a long way away. The
    internal IPs might not even have a public IP translation.

    And occasionally, proxy arp can break your network, especially if
    you have older switches that have a combined ARP table rather
    than a per-vlan ARP table.
    --
    "I want to make sure [a user] can't get through ... an online
    experience without hitting a Microsoft ad"
    -- Steve Ballmer [Microsoft Chief Executive]
     
    Walter Roberson, Dec 26, 2004
    #2
    1. Advertising

  3. Michael Letchworth

    B. Gray Guest

    nat 0 - disables nat on the pix interface (also known as no-nat command)

    "Michael Letchworth" <> wrote in message
    news:Whszd.3351$2_4.177@okepread06...
    > What is the difference when using NAT 0 with an access list and without. I
    > not sure what proxy arp would do as far which would have any advantages
    > we could take advantage of?
    >
     
    B. Gray, Jan 3, 2005
    #3
  4. In article <>,
    B. Gray <> top-posted:

    :"Michael Letchworth" <> wrote in message
    :news:Whszd.3351$2_4.177@okepread06...
    :> What is the difference when using NAT 0 with an access list and without. I
    :> not sure what proxy arp would do as far which would have any advantages
    :> we could take advantage of?


    :nat 0 - disables nat on the pix interface (also known as no-nat command)

    Okay, now WTF does it mean, -exactly-, to 'disable nat'?

    Which commands do you use if you want to just disable proxy arp?

    Which commands do you use if you want each IP to map to itself when
    outgoing connections are created, with Port Address Translation taking
    place (IP address doesn't change but the port number might)?

    Which commands do you use if you want each IP to map to itself when
    outgoing connections are created, with port numbers always being left
    strictly alone?

    Which commands do you use if you want the ports to be left alone and you
    want to be able to form new connections from lower security interfaces
    inward?

    Which commands do you use if you want the ports to be left alone and you
    do NOT want to be able to form new connections from lower security
    interfaces inward?

    Which commands do you use for VPN tunnel purpose? Why those ones? What
    happens if you use one of the other ones?

    Which commands do you use if you want the sequence numbers left alone?

    Which commands do you use if you want ports left alone, IPs left alone,
    but you still want sequence numbers to be protected?

    Which commands do you use if you want an IP address to respond to
    proxy arp selectively, only responding if the flow matches a particular
    ACL ?

    Which commands do you use if you want source MAC addresses to go out
    unchanged?


    The OP asked what the difference was between two commands, and
    you responded with information that really didn't say anything the OP
    could use, and your information was wrong in what it did say. :(
    --
    Pity the poor electron, floating around minding its own business for
    billions of years; and then suddenly Bam!! -- annihilated just so
    you could read this posting.
     
    Walter Roberson, Jan 3, 2005
    #4
  5. Michael Letchworth

    Tosh Guest

    > Which commands do you use if you want source MAC addresses to go out
    > unchanged?
    >

    Hi Walter,
    hope you don't mind if a took your post as a test and tried to answer to
    your questions by myself, the only one I can't find an answer to is the one
    above, can you please tell me more?
    I can't even imagine a real scenario where this applies.
    Thanks a lot,
    Tosh.
     
    Tosh, Jan 6, 2005
    #5
  6. In article <>, Tosh <> wrote:
    :> Which commands do you use if you want source MAC addresses to go out
    :> unchanged?

    :Hi Walter,
    :hope you don't mind if a took your post as a test and tried to answer to
    :your questions by myself, the only one I can't find an answer to is the one
    :above, can you please tell me more?
    :I can't even imagine a real scenario where this applies.

    It can't be done with the PIX -- but it is within the realms of
    what someone might mean when they say that NAT has been "disabled".
    After all, if there is no address translation taking place, then
    the PIX could just [hypothetically] let the packets go through
    unchanged. Of course it doesn't work that way.
    --
    This is not the same .sig the second time you read it.
     
    Walter Roberson, Jan 6, 2005
    #6
  7. In article <>, Tosh <> wrote:
    :Hi Walter,
    :hope you don't mind if a took your post as a test and tried to answer to
    :your questions by myself, the only one I can't find an answer to is the one
    :above, can you please tell me more?

    I'd be interested in the answers you came up with for some of them, in
    particular:

    2) Which commands do you use if you want each IP to map to itself when
    outgoing connections are created, with Port Address Translation taking
    place (IP address doesn't change but the port number might)?

    The obvious first place to look would be "identity nat", but the
    PIX documentation doesn't clearly define what "identity" means.
    Did you find an answer that didn't involve creating a separate
    nat/global pair for each such address, netmask 255.255.255.255 on
    the nat, and specifying the same IP as an address range on the global?
    For example,

    nat (inside) 1049 24.25.26.49 255.255.255.255
    nat (inside) 1050 24.25.26.50 255.255.255.255
    nat (inside) 1051 24.25.26.51 255.255.255.255
    global (outside) 1049 24.25.26.49-24.25.26.49
    global (outside) 1050 24.25.26.50-24.25.26.50
    global (outside) 1051 24.25.26.51-24.25.26.51

    9) Which commands do you use if you want an IP address to respond to
    proxy arp selectively, only responding if the flow matches a particular
    ACL ?

    What did you come up with for that one?
    --
    Usenet is one of those "Good News/Bad News" comedy routines.
     
    Walter Roberson, Jan 6, 2005
    #7
  8. Michael Letchworth

    Tosh Guest


    > I'd be interested in the answers you came up with for some of them, in


    I'm not sure I came up to the right answers, I only had fun trying to solve
    your "enigmas", none of these solutions has been tested in real world by
    myself.
    Anyway, for the question n.2, in the hope of having well understood your
    question, I thought about the static command used as a sort of "identity
    pat", something like that:

    static (inside,outside) tcp 24.25.26.49 80 24.25.26.49 81 netmask
    255.255.255.255 0
    0

    The answer for the question n.9 is again the static command with the
    following syntax:

    static (inside,outside) 24.25.26.49 access-list XXX
    access-list XXX permit tcp any host 192.168.1.1 80

    Am I any closer?
    Bye,
    Tosh.
     
    Tosh, Jan 7, 2005
    #8
  9. In article <>, Tosh <> wrote:
    ;Anyway, for the question n.2, in the hope of having well understood your
    ;question, I thought about the static command used as a sort of "identity
    ;pat", something like that:

    :static (inside,outside) tcp 24.25.26.49 80 24.25.26.49 81 netmask 255.255.255.255 0 0

    I guess I didn't explain the question clearly -- I meant dynamic port
    translation, not static port translation. For example, if you have

    nat (inside) 1 192.168.1.0 255.255.255.0
    global (outside) 1 interface

    then the port numbers that go out are dynamically allocated (Port
    Address Translation), but the IP addresses are also translated.
    The question was about how you enable dynamic port translation
    but have the address stay the same. You might want that if you want
    the security that NAT provides (i.e., the remote end can only
    reply to ports that are already translated), but at the same time
    you want to be able to track to a particular machine [e.g., in case
    someone outside complained about abuse.]


    :The answer for the question n.9 is again the static command with the
    :following syntax:

    :static (inside,outside) 24.25.26.49 access-list XXX
    :access-list XXX permit tcp any host 192.168.1.1 80

    Hint: ARP packets do not have ports.
    --
    "Meme" is self-referential; memes exist if and only if the "meme" meme
    exists. "Meme" is thus logically a meta-meme; but until the existance
    of meta-memes is more widely recognized, "meta-meme" is not a meme.
    -- A Child's Garden Of Memes
     
    Walter Roberson, Jan 7, 2005
    #9
  10. Michael Letchworth

    Tosh Guest

    > the security that NAT provides (i.e., the remote end can only
    > reply to ports that are already translated), but at the same time
    > you want to be able to track to a particular machine [e.g., in case
    > someone outside complained about abuse.]
    >


    Ok, now I've got it, I missed the sense of your question.

    >
    > Hint: ARP packets do not have ports.
    > --


    What a fool I was, arp always comes before any flow, so it's another
    nonsense question, right?
    Bye,
    Tosh.
     
    Tosh, Jan 8, 2005
    #10
  11. In article <>, Tosh <> wrote:
    :> Hint: ARP packets do not have ports.

    :What a fool I was, arp always comes before any flow, so it's another
    :nonsense question, right?

    Yeah ;-) But it sounded like something that someone might want
    "disable address translation" to mean.
    --
    IEA408I: GETMAIN cannot provide buffer for WATLIB.
     
    Walter Roberson, Jan 8, 2005
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Illusion

    Cisco PIX 515E - Proxy ARP?

    Illusion, Jul 23, 2003, in forum: Cisco
    Replies:
    0
    Views:
    633
    Illusion
    Jul 23, 2003
  2. Illusion

    Cisco PIX 515E - Proxy ARP?

    Illusion, Jul 23, 2003, in forum: Cisco
    Replies:
    4
    Views:
    6,040
    Illusion
    Jul 24, 2003
  3. tartar813

    Pix 515 VLAN NAT0 issues

    tartar813, Mar 16, 2006, in forum: Cisco
    Replies:
    10
    Views:
    2,688
    tartar813
    Mar 16, 2006
  4. mcnairi

    Asa/pix Nat0 Rule - Help

    mcnairi, Sep 5, 2008, in forum: Cisco
    Replies:
    0
    Views:
    674
    mcnairi
    Sep 5, 2008
  5. Darren Green

    Arp or Proxy Arp

    Darren Green, Feb 20, 2009, in forum: Cisco
    Replies:
    0
    Views:
    571
    Darren Green
    Feb 20, 2009
Loading...

Share This Page