Basically, nat for dynamic mapping and static for static mapping.
Normally, nat is from high security(inside) to low security(outside). There is not xlate created until the traffic is initialed from inside, and you can only accept inbound traffic that after xlate created.
And static is from low to high. The xlate is created statically. But in addition to using the static command, you must also use an access-list command to allow outside traffic to access inside hosts or servers. In the other side, nat does need access-list because the traffic is initialed from inside.
nat 0 (Identity NAT) and nat 0 access-list (NAT Exemption)
With identity NAT, you can accept the inbound traffic only when the traffic is initiated from the inside and after the xlate is created. NAT exemption allows traffic whenever it matches the referenced ACL, regardless of whether or not there is already an xlate.
While NAT exemption lets you exempt traffic that is matched by the access-list command statement from NAT services, Adaptive Security remains in effect. The extent to which the inside hosts are accessible from the outside depends on the access-list command statements that permit inbound access; NAT exemption allows both inbound and outbound traffic no matter which side initiates, as long as it is permitted by the referenced ACL.
Note:
1. nat (inside) 0 192.168.1.0 and static (inside, ouside) 192.168.1.0 192.168.1.0
Both are identity NAT. Using static will allow connection initialed from outside(of cause, the access-list should allow it) and inside. But nat will only allow connection initialed from inside.
2. Only nat 0 access-list (NAT Exemption) allow connection initialed from both side. So it can replace with static policy nat.
Such as for VPN,
access-list test1 permit ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.o
nat 0 access-list test1
or
static (inside, outside) 192.168.10.0 access-list test1
Friday, December 02, 2005
Understand PIX new feature - Outside NAT
Outside dynamic NAT use command nat, and commnad static for outside static mapping.
Outside NAT just replace outside source address to inside source address. You can do many to small(nat), or many to one (PAT) , and one-to-one (using static command).
If you enable outside dynamic NAT on an interface, then you must configure explicit NAT policy for all hosts on the interface that need to initiate connections to inside networks. If you want to translate some hosts, but not others, then use identity NAT or NAT exemption (nat 0 or nat 0 access-list) to disable address translation for these additional hosts. This is mostly forgotten thing.... In inside NAT, because inside usually only has one or small subnet and will all do NAT. But for outside, it is INTERNET which include a lot networks..
To enable DNS doctoring in this environment, web server TWeb and client PC inside, DNS outside. When inside client want to access the web server, we can configure
static (outside,inside) TWeb 67.19.10.1 dns netmask 255.255.255.255 0 0
so the DNS will be rewritten to inside IP instead of Internet IP.
Notes: this translation is happend on inside interface, remember when proxy arp is enabled in inside interface, the PIX will proxy the TWeb(global, static and nat 0 setting, refer to article "PIX proxy arp caused weird problem" on Dec 2, 2005 ) when inside PC try to access TWeb(the inside PC arp result will be wrong), that will cause connection problem. So remember to disable proxy arp on inside interface!!!
Outside NAT just replace outside source address to inside source address. You can do many to small(nat), or many to one (PAT) , and one-to-one (using static command).
If you enable outside dynamic NAT on an interface, then you must configure explicit NAT policy for all hosts on the interface that need to initiate connections to inside networks. If you want to translate some hosts, but not others, then use identity NAT or NAT exemption (nat 0 or nat 0 access-list) to disable address translation for these additional hosts. This is mostly forgotten thing.... In inside NAT, because inside usually only has one or small subnet and will all do NAT. But for outside, it is INTERNET which include a lot networks..
To enable DNS doctoring in this environment, web server TWeb and client PC inside, DNS outside. When inside client want to access the web server, we can configure
static (outside,inside) TWeb 67.19.10.1 dns netmask 255.255.255.255 0 0
so the DNS will be rewritten to inside IP instead of Internet IP.
Notes: this translation is happend on inside interface, remember when proxy arp is enabled in inside interface, the PIX will proxy the TWeb(global, static and nat 0 setting, refer to article "PIX proxy arp caused weird problem" on Dec 2, 2005 ) when inside PC try to access TWeb(the inside PC arp result will be wrong), that will cause connection problem. So remember to disable proxy arp on inside interface!!!
PIX proxy arp caused weird problem
Inside inferface has 3 server, sometime one server cannot ping other server.
That's because PIX answer the arp which cause wrong MAC for the IP. http://support.microsoft.com/?kbid=888816
sysopt noproxyarp
ARP (Address Resolution Protocol) is a layer two protocol that resolves an IP address to a physical address, also called a Media Access Controller (MAC) address. A host sends an ARP request asking "Who is this IP?" The device owning the IP should reply with "Hey, I am the one, here's my MAC address."
Proxy ARP refers to a gateway device, in this case, the firewall, "impersonating" an IP address and returning its own MAC address to answer an ARP request for another device.
The sysopt noproxyarp command is used to disable Proxy ARPs on an interface from the command-line interface. By default, the PIX Firewall responds to ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests).
The sysopt noproxyarp if_name command lets you disable proxy ARP request responses on a PIX Firewall interface. However, this command does not disable (non-proxy) ARP requests on the PIX Firewall interface itself. Consequently, if you use the sysopt noproxyarp if_name command, the PIX Firewall no longer responds to ARP requests for the addresses in the static, global, and nat 0 commands for that interface but does respond to ARP requests for its interface IP addresses.
To disable Proxy ARPs on the inside interface:
sysopt noproxyarp inside
To enable Proxy ARPs on the inside interface:
no sysopt noproxyarp inside
That's because PIX answer the arp which cause wrong MAC for the IP. http://support.microsoft.com/?kbid=888816
sysopt noproxyarp
ARP (Address Resolution Protocol) is a layer two protocol that resolves an IP address to a physical address, also called a Media Access Controller (MAC) address. A host sends an ARP request asking "Who is this IP?" The device owning the IP should reply with "Hey, I am the one, here's my MAC address."
Proxy ARP refers to a gateway device, in this case, the firewall, "impersonating" an IP address and returning its own MAC address to answer an ARP request for another device.
The sysopt noproxyarp command is used to disable Proxy ARPs on an interface from the command-line interface. By default, the PIX Firewall responds to ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests).
The sysopt noproxyarp if_name command lets you disable proxy ARP request responses on a PIX Firewall interface. However, this command does not disable (non-proxy) ARP requests on the PIX Firewall interface itself. Consequently, if you use the sysopt noproxyarp if_name command, the PIX Firewall no longer responds to ARP requests for the addresses in the static, global, and nat 0 commands for that interface but does respond to ARP requests for its interface IP addresses.
To disable Proxy ARPs on the inside interface:
sysopt noproxyarp inside
To enable Proxy ARPs on the inside interface:
no sysopt noproxyarp inside
Subscribe to:
Posts (Atom)