Firewall Wizards mailing list archives

Re: Extreme Problem with PIX Config

From: John Dorsey <dorsey () colquitt org>
Date: Fri, 13 May 2005 10:13:39 -0500

Brian,

I've been fighting this problem for two weeks now. What follows is the
current config (edited to protect the innocent). If format is maintained,
the trouble lines will be bolded. These trouble lines are: access-list nonat
permit ip any any; nat (inside) 0 access-list nonat; access-group nonat in
interface dmz.

[lots of deletia]

        Here's a couple of ideas and recommendations that may help.
First, I don't recommend using the same acl for the "access-group" and
"nat (interface) 0 ..." purposes; keep those acl's separate and things
are cleaner.

        Second, I recommend applying an acl to every interface with
"access-group".  That way no access is implied by security levels;
everything's explicit.  Your mileage and tastes may vary.

        Third, if you need non-natted access between some pair of
interfaces (say, inside and DMZ), then write a nonat acl for the
interface with the higher security level, permitting all ip from the
higher-security level subnet (source) to the lower-security level subnet
(destination).  Note that it doesn't matter whether the packets and
connections are sourced from the higher or lower interface... for nat
purposes the higher security interface is written as source by
convention.

        So try something like this: (untested)  (pardon the long line)

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
ip address outside ip.pub.nt.126 255.255.255.224
ip address inside 10.100.0.3 255.255.254.0
ip address DMZ 192.168.1.1 255.255.255.0
access-list acl_inbound <whatever>
access-list acl_dmz <whatever>
access-list acl_inside <whatever>
access-group acl_inbound in interface outside
access-group acl_dmz in interface DMZ
access-group acl_inside in interface inside
access-list acl_nonat_inside permit ip 10.100.0.0 255.255.254.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list acl_nonat_inside

        Traffic that matches acl_nonat_inside (i.e. traffic between
inside and DMZ) will go un-natted; all other traffic (including Internet
traffic) will be natted.

Cheers,
John

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Extreme Problem with PIX Config Brian Loe (May 13)
- Re: Extreme Problem with PIX Config John Dorsey (May 15)
  - RE: Extreme Problem with PIX Config Brian Loe (May 15)
- RE: Extreme Problem with PIX Config Ben Nagy (May 15)
- Re: Extreme Problem with PIX Config Devdas Bhagat (May 19)