Re: [fw-wiz] NAT order help



On 11/9/07, kevin horvath <kevin.horvath@xxxxxxxxx> wrote:
first, AFAIK they are not in conflict since the translate-from
address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?)

they are. the access list for static pat stipulates the 10 net just
as the static nat. Static nat wins over static pat.

well, actually, according to the cisco jargon at
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1202525

these are BOTH "static nat" - the 2nd one is regular old
static nat and the 1st, with the access-list, is called "policy nat".
to qualify for the term "static pat" you would need the extra "tcp" or "udp"
keyword just after the (inside,outside).



second, I think they are processed in order

You are thinking as if its an access list (permit or deny) but it
works more like routing where the more specific statement wins if they
are the same type of translation. Since they aren't and one is static
nat then it has more precedence.

[snip - they are both the same type so I think the nat precedence
rules you listed
are not too relevant]

I still say the statements seem non-conflicting, because the "mapped_ip"
[the IP address right after the (inside,outside)] is different. Reading
the Cisco docs, my understanding is that if a packet comes into the PIX
with a ip.destination of "mapped_ip" (or in the "mapped_ip" subnet)
then the pix translates that ip.destination
to what the "static" command tells it to - namely the "real_ip" in
regular static nat.

in sivakumar's example. the mapped_ip is 1.1.1.2 in the 1st static,
and 10.0.0.0 in the 2nd, so there is no conflict. Am I wrong?

However, I am confused about one thing in the policy nat. here is the exaple:

access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
static(inside,ouside) 1.1.1.2 access-list rule1 0 0

instead of just a real_ip subnet (as in the regular static),
the access-list in fact
has a subnet in the source field (10.0.0.0/8) and ANOTHER subnet in the
destination field (1.1.1.1/32)... so when a packet comes into the PIX
with ip.dest=1.1.1.2, how is it translated? using the source (10.0.0.0) or
the destination (1.1.1.1) in the ACL?

moreover, let's assume that the translate-to ip is the ACL's destination
(1.1.1.1 in this example) - what does the OTHER (source)
field do?

Can any PIX mavens out there shed some light?

PIXes are so weird.

Avishai


On 11/6/07, sivakumar <siva_itech@xxxxxxxxx> wrote:

Hi,

access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1

static(inside,ouside) 1.1.1.2 access-list rule1 0 0
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

Please tell me which statement will take precedence - policy NAT ot Static
NAT..

--
View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213
Sent from the Firewall Wizards mailing list archive at Nabble.com.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



--
Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
http://www.algosec.com
******* Firewall Management Made Smarter ******
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



--
Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
http://www.algosec.com
******* Firewall Management Made Smarter ******
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: iptables: fake ip using DNAT and SNAT
    ... :I.e, the application receieves the real source address, so the ... the "ip rule add nat" command reports to be deprecated. ... what bothers me is why packets arriving via ... You can force the translation on machine A by routing packets out the ...
    (comp.os.linux.networking)
  • Re: NAT on a 1750 with 12.3(26)
    ... is open on the translation or not) the mapping stops working. ... if I issue a "no ip nat ins..." ... causes duplicate entries in the running config and the "sh ip nat ...
    (comp.dcom.sys.cisco)
  • Re: duplicate xlate
    ... >translation from time to time, can anyone explain why, thanks. ... in the section "Order of NAT Commands Used to Match Local Addresses" ... access-list AlmostIdentity permit ip 192.168.0.0 255.255.0.0 any ... This requires PIX 6.3 though. ...
    (comp.security.firewalls)
  • Re: Linux v Dedicated NAT routers - secure remote differences
    ... > NAT After IPSec ... > one-to-one address translation occurs it will ... I don't think this is the case - it was reported to me that my packets had ... This scenario is possible because ESP does not use the IP ...
    (comp.security.firewalls)
  • Re: [fw-wiz] NAT order help
    ... Static nat wins over static pat. ... The oder of operation for pix (which should be the same for the ASA ... The firewall matches local traffic to NAT commands in the following order: ...
    (Firewall-Wizards)