outside PAT

Discussion in 'Cisco' started by Christoph Gartmann, Apr 9, 2013.

  1. Hello,

    the following scenario:

    --- net1 --- PIX --- net2

    The Pix runs OS 7.2. Computers reside in net2 and communicate with the world
    via net1. In net3 are a few hosts. Security levels are from net1 (low) to net2
    (higher) to net3 (highest). Traffic from net2 to net1 will be neither NATed
    nor PATed. From net2 to net3 there should be PAT. The computers in net2 should
    be able to access two servers in net3.

    interface Ethernet0
    nameif net1
    security-level 0
    ip address
    interface Ethernet1
    nameif net2
    security-level 90
    ip address
    interface Ethernet5
    nameif net3
    security-level 95
    ip address
    access-list test extended permit icmp any any log
    access-list test extended permit ip any any
    access-list test-in extended permit icmp any any log
    access-list test-in extended permit ip any any

    global (net3) 1
    nat (net2) 1 outside
    static (net2,net1) netmask
    access-group test-in in interface net2
    access-group test out interface net3
    route net1 1
    route net3 1

    So far the connections between net1 and net2 are working. But what is required
    to allow net2 to reach host in net3 with PAT?

    Christoph Gartmann

    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -80464
    Immunbiologie und Epigenetik
    Postfach 1169 Internet: [email protected] dot mpg dot de
    D-79011 Freiburg, Germany
    Christoph Gartmann, Apr 9, 2013
    1. Advertisements

  2. Your security levels should follow nat. Usually you "nat" from high level to
    low level. From low to high you "static"ally open ports. So your security
    levels should be:

    nameif net1
    security-level 0

    nameif net2
    security-level 100

    nameif net3
    security-level 50

    global (net3) 1 interface ! or pat-ip
    nat (net2) 1
    static (net2,net1) netmask
    static (net2,net3) tcp interface 80 80 ! server1 port forward
    static (net2,net3) ! server2 (prevents PAT)

    Lutz Donnerhacke, Apr 9, 2013
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.