Skip to main content

pix translation issue

More
17 years 6 months ago #21606 by semper
Replied by semper on topic Re: pix translation issue

hello,

suppose there is one host who is accessing two different servers in the network.


Is this host external to the network accessing servers on the internal network?

when host A access to host B all we have to do is make sure that it gets to talk to it one to one thus i configure this

static (inside,outside) tcp 60.10.135.72 3392 20.172.216.4 3392 netmask 255.255.255.255
static (inside,outside) tcp 60.10.135.72 3394 20.172.216.4 3394 netmask 255.255.255.255


These two statements mean:

60.10.135.72 is a host on the internal network.
20.172.216.4 is an IP mapped to your outside interface.

You want traffic going to 20.172.216.4 to destination ports TCP 3392 and 3394 to be routed to your internal host 60.10.135.72 via TCP ports 3392 and 3394.

access-list acl_out_in permit tcp host 20.172.216.4 host 60.10.135.72 eq 3392
access-list acl_out_in permit tcp host 20.172.216.4 host 60.10.135.72 eq 3394


This doesn't make sense to me. This statement means that you only want the host with the source address of 20.172.216.4 to be able to access 60.10.135.72 via TCP ports 3392 and 3394. Everything else will be denied coming into the network to those ports.

Based on your static 20.172.216.4 should be an address mapped on your PIX outside interface. So hosts on the outside shouldn't be able to access internal host unless you have outside hosts statically mapped to 20.172.216.4 coming into the network.

If that's the case, why would you do that? I can only really think of one scenario where I would do that.

In most cases if I only wanted a certain group of computer's to access a host on my internal network I would map the ports and limit the source addresses via the access-list, not with the static command.

and host A can connect to host B with success no problem at all.

Now, when host A try to connect to host C we not only have to nat/translate the source IP of this host but also the like host B scenario that it should be one to one with it, so i configure the following

static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255
static (inside,outside) 60.10.136.72 16.172.23.1 netmask 255.255.255.255

access-list acl_out_in permit tcp host 60.10.136.72 host 20.172.220.4 eq 6003

host A connects to host C successful and no problem.

the issue i have here is that when i see the netstat of host B it shows that the host A (remote host ip address is) 20.172.220.4 whereas it should be it orginal source ip address.

so is there a way it can be done or is it the firewall itself that it's not possible and it would be causing any problem in connection, cuz currently on random times the connection drops automaticaly btw host A and host B, so i assume it is because of this issue.

any help would be great


This is a really round about way of doing things. Can you post a diagram of what you want, with the flow of traffic, and define your hosts A,B,C?

I think that will help us answer your question. There is a much simpler way of doing what you want, but at this point I'm to confused to be able to give a definite answer.
More
17 years 6 months ago #21647 by Smurf
Replied by Smurf on topic Re: pix translation issue
Just to go back to this in the original post;

static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255
static (inside,outside) 60.10.136.72 16.172.23.1 netmask 255.255.255.255

the issue i have here is that when i see the netstat of host B it shows that the host A (remote host ip address is) 20.172.220.4 whereas it should be it orginal source ip address.


You have the used (outside,inside) & (outside,inside). This is whats causing the problem you have identified. Its known as Outside NAT (its all new to me and i don't fully understand whats going on myself yet). Basically, it specifies that the incoming traffic from the host specified should get translated to the inside address. Take a look at this document here

This isn't quite working in your case because the inside & outside addresses are the wrong way around therefore its maintaining the wrong address.
[code:1]static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255 [/code:1]

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 6 months ago #21682 by lomaree
Replied by lomaree on topic Re: pix translation issue

hello,

suppose there is one host who is accessing two different servers in the network.


Is this host external to the network accessing servers on the internal network?

when host A access to host B all we have to do is make sure that it gets to talk to it one to one thus i configure this

static (inside,outside) tcp 60.10.135.72 3392 20.172.216.4 3392 netmask 255.255.255.255
static (inside,outside) tcp 60.10.135.72 3394 20.172.216.4 3394 netmask 255.255.255.255


These two statements mean:

60.10.135.72 is a host on the internal network.
20.172.216.4 is an IP mapped to your outside interface.

You want traffic going to 20.172.216.4 to destination ports TCP 3392 and 3394 to be routed to your internal host 60.10.135.72 via TCP ports 3392 and 3394.

access-list acl_out_in permit tcp host 20.172.216.4 host 60.10.135.72 eq 3392
access-list acl_out_in permit tcp host 20.172.216.4 host 60.10.135.72 eq 3394


This doesn't make sense to me. This statement means that you only want the host with the source address of 20.172.216.4 to be able to access 60.10.135.72 via TCP ports 3392 and 3394. Everything else will be denied coming into the network to those ports.

Based on your static 20.172.216.4 should be an address mapped on your PIX outside interface. So hosts on the outside shouldn't be able to access internal host unless you have outside hosts statically mapped to 20.172.216.4 coming into the network.

If that's the case, why would you do that? I can only really think of one scenario where I would do that.

In most cases if I only wanted a certain group of computer's to access a host on my internal network I would map the ports and limit the source addresses via the access-list, not with the static command.

and host A can connect to host B with success no problem at all.

Now, when host A try to connect to host C we not only have to nat/translate the source IP of this host but also the like host B scenario that it should be one to one with it, so i configure the following

static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255
static (inside,outside) 60.10.136.72 16.172.23.1 netmask 255.255.255.255

access-list acl_out_in permit tcp host 60.10.136.72 host 20.172.220.4 eq 6003

host A connects to host C successful and no problem.

the issue i have here is that when i see the netstat of host B it shows that the host A (remote host ip address is) 20.172.220.4 whereas it should be it orginal source ip address.

so is there a way it can be done or is it the firewall itself that it's not possible and it would be causing any problem in connection, cuz currently on random times the connection drops automaticaly btw host A and host B, so i assume it is because of this issue.

any help would be great


This is a really round about way of doing things. Can you post a diagram of what you want, with the flow of traffic, and define your hosts A,B,C?

I think that will help us answer your question. There is a much simpler way of doing what you want, but at this point I'm to confused to be able to give a definite answer.


Actually, you got it wrong, it's like this

20.172.216.4 is mapped to outside interface as 60.10.135.72 like for the host A when wants to connect to host B, host A will try 60.10.135.72 as destination and when inside it will be able to talk directly to it.

You have the used (outside,inside) & (outside,inside). This is whats causing the problem you have identified. Its known as Outside NAT (its all new to me and i don't fully understand whats going on myself yet). Basically, it specifies that the incoming traffic from the host specified should get translated to the inside address. Take a look at this document here

This isn't quite working in your case because the inside & outside addresses are the wrong way around therefore its maintaining the wrong address.


smurf!

i have used (outside,inside) and (inside,outside) and not (outside,inside) and (outside,inside).

anyways, for (outside, inside) i am using to translate the source ip address 16.172.5.7 to 20.172.220.4 and then using (inside,outside) to publish 16.172.23.1 to 60.10.136.72, so for host A 16.172.23.1 will look like 60.10.136.72 just like host b scenario.

Hope you understand.
More
17 years 6 months ago #21684 by Smurf
Replied by Smurf on topic Re: pix translation issue
Sorry not understanding the original question now ? Can you please let me know what Host a/b/c IP addresses are. In the original post you said that the wrong IP Address was getting NAT'd so i just need to do a quick diagram to understand this. Like i said, the way you specify the interface in the static command is how you identify the postnat and prenat addresses so if its getting the wrong NAT'd address then thats where the problem is.

Your last post suggests to me that you are no longer having this issue ?

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 6 months ago #21686 by lomaree
Replied by lomaree on topic Re: pix translation issue
alright, let me explain one more time.

when host A connects on the published ip address 60.10.135.72 and connects to 20.172.216.4 it works as per the static entires

static (inside,outside) tcp 60.10.135.72 3392 20.172.216.4 3392 netmask 255.255.255.255
static (inside,outside) tcp 60.10.135.72 3394 20.172.216.4 3394 netmask 255.255.255.255


when host A (same host) connects on the publish ip address 60.10.136.72 and connects to 16.172.23.1. we have to change the source ip address which is 16.172.5.7 to 20.172.220.4 because 16.172.23.1 will not accept connection from other than 20.172.220.4, now as per static entries it also works


static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255
static (inside,outside) 60.10.136.72 16.172.23.1 netmask 255.255.255.255


problem 1: on the netstat of host B it looks like that the traffic is coming from 20.172.220.4 instead of 16.172.5.7, where as it should be 16.172.5.7 only

i dont want host B to see traffic coming from natted ip 20.172.220.4, instead it should be from 16.172.5.7 whereas for host C it should look like 20.172.220.4.

hope it's clear enough.

Yes, in my post i said it worked using Policy NAT i.e.

access-list NATONE permit ip host 16.172.5.7 host 60.10.136.72
static (outside,inside) 20.172.220.4 access-list NATONE
More
17 years 6 months ago #21690 by Smurf
Replied by Smurf on topic Re: pix translation issue
Thanks very much for the post, i see now, the line
[code:1]static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255 [/code:1]

was there by design due to the address needing to be seen as coming from 20.172.220.4, the problem was that you only wanted it to do this from the one address.

I thought the problem was that you didn't want the 20.172.220.4 to appear which is why i was saying that the static is the wrong way around. Doh :)

but your problem was that you only needed it for 1 host and not all of them.

Appologies for not understanding :wink:

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.187 seconds