Firewall Wizards mailing list archives
Re: Extreme Problem with PIX Config
From: John Dorsey <dorsey () colquitt org>
Date: Fri, 13 May 2005 10:13:39 -0500
Brian,
I've been fighting this problem for two weeks now. What follows is the current config (edited to protect the innocent). If format is maintained, the trouble lines will be bolded. These trouble lines are: access-list nonat permit ip any any; nat (inside) 0 access-list nonat; access-group nonat in interface dmz.
[lots of deletia] Here's a couple of ideas and recommendations that may help. First, I don't recommend using the same acl for the "access-group" and "nat (interface) 0 ..." purposes; keep those acl's separate and things are cleaner. Second, I recommend applying an acl to every interface with "access-group". That way no access is implied by security levels; everything's explicit. Your mileage and tastes may vary. Third, if you need non-natted access between some pair of interfaces (say, inside and DMZ), then write a nonat acl for the interface with the higher security level, permitting all ip from the higher-security level subnet (source) to the lower-security level subnet (destination). Note that it doesn't matter whether the packets and connections are sourced from the higher or lower interface... for nat purposes the higher security interface is written as source by convention. So try something like this: (untested) (pardon the long line) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security4 ip address outside ip.pub.nt.126 255.255.255.224 ip address inside 10.100.0.3 255.255.254.0 ip address DMZ 192.168.1.1 255.255.255.0 access-list acl_inbound <whatever> access-list acl_dmz <whatever> access-list acl_inside <whatever> access-group acl_inbound in interface outside access-group acl_dmz in interface DMZ access-group acl_inside in interface inside access-list acl_nonat_inside permit ip 10.100.0.0 255.255.254.0 192.168.1.0 255.255.255.0 nat (inside) 0 access-list acl_nonat_inside Traffic that matches acl_nonat_inside (i.e. traffic between inside and DMZ) will go un-natted; all other traffic (including Internet traffic) will be natted. Cheers, John _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Extreme Problem with PIX Config Brian Loe (May 13)
- Re: Extreme Problem with PIX Config John Dorsey (May 15)
- RE: Extreme Problem with PIX Config Brian Loe (May 15)
- RE: Extreme Problem with PIX Config Ben Nagy (May 15)
- Re: Extreme Problem with PIX Config Devdas Bhagat (May 19)
- Re: Extreme Problem with PIX Config John Dorsey (May 15)