PIX Policy NAT: order of NAT commands

Discussion in 'Cisco' started by Oleg Tipisov, Aug 12, 2004.

  1. Oleg Tipisov

    Oleg Tipisov Guest

    Hi!

    Does anybody know in what order NAT commands (specifically _static
    policy NAT commands_) are evaluated?

    For example, suppose we have IPSec VPN and want to translate all our
    local hosts ip addresses from 192.168.1.x into 192.168.3.x for traffic
    going via the tunnel. We need this because remote site also has
    192.168.1.0 subnet. At the same time we want to allow connections from
    Internet to the internal host 192.168.1.4. This means that the same
    host 192.168.1.4 should be accessible via the tunnel and from Internet
    via two different addresses at the same time. The possible config is:

    ! Inside source translation for VPN traffic
    static (inside,outside) 192.168.3.0 access-list vpn-nat
    ! Inside source translation for Internet traffic
    static (inside,outside) 1.2.3.4 access-list server-nat

    ! We know remote overlapping subnet as 192.168.2.0
    ! They use static NAT too (192.168.1.x -> 192.168.2.x)
    access-list vpn-nat permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0

    access-list server-nat permit ip host 192.168.1.4 any

    Note however that Policy NAT doesn't allow you to configure deny ACL
    entries. So, now we have two overlapped ACLs and statics for the same
    host 192.168.1.4 !

    Surprisingly this config works!

    NAT from inside:192.168.1.4 to outside(vpn-nat):192.168.3.4 flags s
    NAT from inside:192.168.1.4 to outside(server-nat):1.2.3.4 flags s

    I can initiate connections via VPN and then to Internet or vice versa
    - the result is always the same - it works.

    The question is: how this can be? In what order static commands are
    evaluated? How the software can compare two ACLs and decide which one
    to use???

    Also, could anybody translate the second part of the following excerpt
    from the PIX Command Reference from English into English:

    "Because you cannot use the same local address in static NAT or static
    PAT commands, the order of static commands does not matter. Similarly,
    for static policy NAT, you cannot use the same local/destination
    address and port across multiple statements."

    Regards,
    Oleg Tipisov,
    REDCENTER
     
    Oleg Tipisov, Aug 12, 2004
    #1
    1. Advertising

  2. Walter Roberson, Aug 12, 2004
    #2
    1. Advertising

  3. Oleg Tipisov

    Oleg Tipisov Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<cfg29i$2fi$>...
    > In article <>,
    > Oleg Tipisov <> wrote:
    > :Does anybody know in what order NAT commands (specifically _static
    > :policy NAT commands_) are evaluated?
    >
    > It's documented explicitly.
    >


    No, it isn't.

    It is not documented what will happen in case of overlapped ACLs in
    policy-NAT commands.
     
    Oleg Tipisov, Aug 13, 2004
    #3
  4. Oleg Tipisov

    Oleg Tipisov Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<cfg29i$2fi$>...
    > In article <>,
    > Oleg Tipisov <> wrote:
    > :Does anybody know in what order NAT commands (specifically _static
    > :policy NAT commands_) are evaluated?
    >
    > It's documented explicitly.
    >


    No, it isn't.

    It is not documented what will happen in case of overlapped ACLs in
    policy-NAT commands.
     
    Oleg Tipisov, Aug 13, 2004
    #4
  5. In article <>,
    Oleg Tipisov <> wrote:
    |-cnrc.gc.ca (Walter Roberson) wrote in message news:<cfg29i$2fi$>...

    |> It's documented explicitly.


    |No, it isn't.

    |It is not documented what will happen in case of overlapped ACLs in
    |policy-NAT commands.

    4. nat nat_id access-list (policy NAT) -In order, until the first
    match. For example, you could have overlapping local/destination
    ports and addresses in multiple nat commands, but only the first
    command is matched.


    That looks explicit to me. The first policy ACL in the configuration
    gets evaluated, then the second policy ACL, and so on, with 'deny'
    [or falling off the end of the ACL] indicating "This particular
    policy does not apply and go on to the next one, or to regular NAT
    if there are no remaining policies."

    --
    How does Usenet function without a fixed point?
     
    Walter Roberson, Aug 13, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tyler Cobb
    Replies:
    6
    Views:
    18,625
    Tyler Cobb
    Oct 19, 2005
  2. wtpandar

    policy nat and static NAt

    wtpandar, Sep 12, 2006, in forum: Cisco
    Replies:
    0
    Views:
    789
    wtpandar
    Sep 12, 2006
  3. Mark Griffiths
    Replies:
    1
    Views:
    3,237
  4. Tyler Cobb
    Replies:
    1
    Views:
    733
    dawnad
    Oct 9, 2005
  5. Geoffrey Sinclair

    Policy map using policy map

    Geoffrey Sinclair, Jul 27, 2009, in forum: Cisco
    Replies:
    1
    Views:
    531
    bod43
    Jul 27, 2009
Loading...

Share This Page