multiple global pools PIX 525

multiple global pools PIX 525

Post by rpomerlea » Wed, 19 Jan 2005 04:24:44



Hoping someone can check double check my config here.

I have multiple internal ip's and 2 external Class C's. I need to have
all but one internal range use one Class C while the one uses another.
Here's what I am thinking will work

access-list natalltherest_inside deny ip 10.13.0.0 255.255.0.0 any
access-list natalltherest_inside permit ip any any
access-list nat13_inside permit ip 10.13.0.0 255.255.0.0 any
access-list nat13_inside deny ip any any

global (outside) 1 xx.xx.x3.11-xx.xx.x3.253 netmask 255.255.255.0
global (outside) 1 xx.xx.x3.254 netmask 255.255.255.0
global (outside) 2 xx.xx.x2.11-xx.xx.x2.253 netmask 255.255.255.0
global (oustide) 2 xx.xx.x2.254 netmask 255.255.255.0
nat (inside) 1 access-list natallthrest_inside
nat (inside) 2 access-list nat13_inside

If I am making life difficult for me and there is an easier way please
let me know as I am always willing to learn

Thanks in advance.

 
 
 

multiple global pools PIX 525

Post by Walter Robers » Wed, 19 Jan 2005 08:44:27



:I have multiple internal ip's and 2 external Class C's. I need to have
:all but one internal range use one Class C while the one uses another.
:Here's what I am thinking will work

:access-list natalltherest_inside deny ip 10.13.0.0 255.255.0.0 any
:access-list natalltherest_inside permit ip any any
:access-list nat13_inside permit ip 10.13.0.0 255.255.0.0 any
:access-list nat13_inside deny ip any any

:global (outside) 1 xx.xx.x3.11-xx.xx.x3.253 netmask 255.255.255.0
:global (outside) 1 xx.xx.x3.254 netmask 255.255.255.0
:global (outside) 2 xx.xx.x2.11-xx.xx.x2.253 netmask 255.255.255.0
:global (oustide) 2 xx.xx.x2.254 netmask 255.255.255.0
:nat (inside) 1 access-list natallthrest_inside
:nat (inside) 2 access-list nat13_inside

:If I am making life difficult for me and there is an easier way please
:let me know as I am always willing to learn

First off, the default on any access-list is to deny, so the second
line of nat13_inside is redundant.

Secondly, as a matter of good security practice, I would say that
you should rarely be nat'ing "all" or 0.0.0.0 0.0.0.0. It is better
security to list your valid source networks explicitly: that way
if someone or something puts packets on your net from an unauthorized
IP address range, the packets will be contained at your firewall.

Consider, for example, that if you allow "all" to be nat'd, you
are allowing -all- of the RFC1918 reserved ranges
(10/8, 172.16/16-172.31/16, 192.168.0/24-192.168.255/24) -- and
you are allowing out those pesky 169.254 IP addresses that are
generated by Windows and Macs that are unsuccessful in DHCP'ing.
[DHCP, like shit, "happens".]

In more concrete terms, this would mean that you would not
configure natalltherest_inside as a deny followed by a permit all:
you would instead configure it as a series of permits of your valid
internal networks.

Thirdly, you can take advantage of the fact that policy NAT has
higher priority than non-policy NAT -- see the priority list at
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63...
The way you would take advantage of this is to use a single
policy nat configuration for the traffic you wanted treated differently,
and use standard nat/global for the rest of the traffic. e.g.,

access-list nat13_inside permit ip 10.13.0.0 255.255.0.0 any

global (outside) 2 xx.xx.x2.11-xx.xx.x2.253 netmask 255.255.255.0
global (oustide) 2 xx.xx.x2.254 netmask 255.255.255.0
global (outside) 1 xx.xx.x3.11-xx.xx.x3.253 netmask 255.255.255.0
global (outside) 1 xx.xx.x3.254 netmask 255.255.255.0
nat (inside) 2 access-list nat13_inside
nat (inside) 1 {first regular ip range}
nat (inside) 1 {second regular ip range}
nat (inside) 1 {third regular ip range}
...

Fourthly, if you needed to use multiple policy nat's (e.g.,
you had three ranges to treat differently), you could take advantage
of the fact that policy nat is done in order of the statements
entered into the configuration. This allows you to leave 'deny's
out of the access-lists, by taking advantage of the fact that a
policy nat statement higher up in the config will already have been done
before the ACL is evaluated for the next one down.

Fifthly... since you are doing the different translations
unconditionally based only upon the source IP, the configuration
you gave all simplifies down to this:

nat (inside) 2 10.13.0.0 255.255.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 2 xx.xx.x2.11-xx.xx.x2.253 netmask 255.255.255.0
global (oustide) 2 xx.xx.x2.254 netmask 255.255.255.0
global (outside) 1 xx.xx.x3.11-xx.xx.x3.253 netmask 255.255.255.0
global (outside) 1 xx.xx.x3.254 netmask 255.255.255.0

[but keep in mind what I said in my second point about it not
being the best security practice to allow 'any' or 0.0.0.0 0.0.0.0
to be translated... so I would list the networks explicitly for
the 'nat (inside) 1', as showin in point 4.]
--
Contents: 100% recycled post-consumer statements.

 
 
 

multiple global pools PIX 525

Post by rpomerlea » Thu, 20 Jan 2005 00:05:44


Thanks this fixed me up. I agree with your statement about not natting
0.0.0.0 and will bring it up to others here, as I inherited the system
and didn't bring it up.

thanks for your help

 
 
 

1. 525 Pix is not roaming global ranges

Greetings,

We have a Cisco Pix (525) that requires doing a clear xlate command
about once daily when people randomly do not have access to outside
websites.

If I do a sho xlate after it clears and we are not roaming to a good
portion of the range we have.

Any ideas as to what is causing this?  The config is right and there
are no virus issues.Let me know what you might think is causing this.

Thanks much,

Toni

2. running Batch files from Win98 desktop... (syntax)

3. PIX 525 and two PIX-4FE-66=

4. NewsGroups for Pilot?

5. CISCO PIX 520 Vs. PIX 525

6. cheapes method

7. PIX - mixing "nat 0 access-list" with nat/global pools

8. Must buy Mac for slide scanning???

9. PIX Global NAT Pool

10. pix 525 v7 rip problem

11. Pix 525 running 7.1(1) dropping packets

12. PIX 525 and SSL

13. Urgent PIX 525 AAA Failure