Restrictive NAT exemption configuration issue

Discussion in 'Cisco' started by archow, Jan 23, 2008.

  1. archow

    archow Guest

    I have a situation in which I am trying to disable translation between
    a source on the inside and a destination on the outside, but only over
    certain ports. The remaining ports between the same source and
    destination should be translated as defined in the nat/global rules.

    My first inclination was to use nat 0 list to bypass translation
    between specific source/destination IPs over specific ports.
    Unfortunately, the PIX did not feel the same way and yelled at me when
    I tried:
    ERROR: access-list has protocol or port
    I was forced to seek another solution.

    To better explain my situation, let's assume I have two interfaces:
    Inside: 192.168.1.0/24
    Outside: 192.168.2.0/24

    The inside subnet is translated with the following rules when
    accessing the outside:
    nat (inside) 1 192.168.1.0 255.255.255.0
    global (outside) 1 interface

    A host on the inside, 192.168.1.1, needs to access a host on the
    outside, 192.168.2.2, and for whatever reason the traffic going over
    tcp/23 from the inside host to the outside host should be exempt from
    NAT. The outside host, 192.168.2.2, should see the real address of
    the inside host when 192.168.1.1 accesses the outside host over tcp/
    23. For all other allowed traffic from 192.168.1.1 to 192.168.2.2,
    the inside host should be NAT'd to the outside interface.
    192.168.1.1 to 192.168.2.2 over tcp/23 (NAT-exempt)
    192.168.1.1 to 192.168.2.2 over tcp/80,tcp/443,etc. (NAT)

    Is it possible to accomplish the above situation on the PIX? Because
    the nat 0 list does not allow protocol or port specification, I have
    tried a variety of static translations to achieve the desired
    functionality, but have not come across a solution.

    Adam
     
    archow, Jan 23, 2008
    #1
    1. Advertisements

  2. archow

    archow Guest

    I want to add that I was very confused when trying policy static with
    the following PIX commands:
    access-list test extended permit tcp host 192.168.1.1 host
    192.168.2.2 eq https
    static (internal,external) 192.168.1.1 access-list test

    The policy static commands above create the following entry in the NAT
    policies (show nat):

    NAT policies on Interface inside:
    match tcp inside host 192.168.1.1 outside host 192.168.2.2 eq 443
    static translation to 192.168.1.1/0
    translate_hits = 0, untranslate_hits = 0
    match ip inside 192.168.1.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
    match ip inside 192.168.1.0 255.255.255.0 outside any
    dynamic translation to pool 1 (192.168.2.254 [Interface PAT])
    translate_hits = 3, untranslate_hits = 0

    When I access 192.168.2.2 over 443 from 192.168.1.1, the first rule is
    skipped and the dynamic match to the outside interface is used.
    Why is that static match skipped? And what is the /0 in
    192.168.1.1/0?

    Adam
     
    archow, Jan 23, 2008
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.