Re: NAT order help

["Avishai Wool" <yash () acm org>]

On 11/9/07, kevin horvath <kevin.horvath () gmail com> wrote:
> > first, AFAIK they are not in conflict since the translate-from
> > address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?)
>
> they are.  the access list for static pat stipulates the 10 net just
> as the  static nat.  Static nat wins over static pat.

well, actually, according to the cisco jargon at
 http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1202525

these are BOTH "static nat" - the 2nd one is regular old
static nat and the 1st, with the access-list, is called "policy nat".
to qualify for the term "static pat" you would need the extra "tcp" or "udp"
keyword just after the (inside,outside).

> > second, I think they are processed in order
>
> You are thinking as if its an access list (permit or deny) but it
> works more like routing where the more specific statement wins if they
> are the same type of translation.  Since they aren't and one is static
> nat then it has more precedence.

[snip - they are both the same type so I think the nat precedence
rules you listed
are not too relevant]

I still say the statements seem non-conflicting, because the "mapped_ip"
[the IP address right after the (inside,outside)] is different. Reading
the Cisco docs, my understanding is that if a packet comes into the PIX
with a ip.destination of "mapped_ip" (or in the "mapped_ip" subnet)
then the pix translates that ip.destination
to what the "static" command tells it to - namely the "real_ip" in
regular static nat.

in sivakumar's example. the mapped_ip is 1.1.1.2 in the 1st static,
and 10.0.0.0 in the 2nd, so there is no conflict. Am I wrong?

However, I am confused about one thing in the policy nat. here is the exaple:

  access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
  static(inside,ouside) 1.1.1.2 access-list rule1 0 0

instead of just a real_ip subnet (as in the regular static),
the access-list in fact
has a subnet in the source field (10.0.0.0/8) and ANOTHER subnet in the
destination field (1.1.1.1/32)... so when a packet comes into the PIX
with ip.dest=1.1.1.2, how is it translated? using the source (10.0.0.0) or
the destination (1.1.1.1) in the ACL?

moreover, let's assume that the translate-to ip is the ACL's destination
(1.1.1.1 in this example) - what does the OTHER (source)
field do?

Can any PIX mavens out there shed some light?

PIXes are so weird.

Avishai
> > On 11/6/07, sivakumar <siva_itech () yahoo com> wrote:
> > > Hi,
> > >
> > > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
> > >
> > > static(inside,ouside) 1.1.1.2 access-list rule1 0 0
> > > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
> > >
> > > Please tell me which statement will take precedence - policy NAT ot Static
> > > NAT..
> > >
> > > --
> > > View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213
> > > Sent from the Firewall Wizards mailing list archive at Nabble.com.
> > >
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards () listserv icsalabs com
> > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> >
> > --
> > Avishai Wool, Ph.D.,  Co-founder and Chief Technical Officer
> >                http://www.algosec.com
> > ******* Firewall Management Made Smarter ******
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () listserv icsalabs com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


-- 
Avishai Wool, Ph.D.,  Co-founder and Chief Technical Officer
               http://www.algosec.com
******* Firewall Management Made Smarter ******
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards