|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
thefunnel@aol.com
Guest
|
 Posted: Tue Oct 16, 2007 12:41 am Post subject: PIX access-lists and static NAT |
 |
|
Hi,
I would like to secure an inbound access-list on a PIX 525 running
software version 8.
Hosts on the outside will connect to 3 servers on the inside for WWW.
This will involve an explicit access rule and NAT.
The servers are named and grouped:
name 192.168.1.1 SERVER1
name 192.168.1.2 SERVER2
name 192.168.1.3 SERVER3
object-group network SERVERS
network-object host SERVER1
network-object host SERVER2
network-object host SERVER3
Static NAT is used to map the outside 10.x.x.x addresses to 192.x.x.x.
on the inside:
static (inside,outside) 10.10.10.1 SERVER1 netmask 255.255.255.255
static (inside,outside) 10.10.10.2 SERVER2 netmask 255.255.255.255
static (inside,outside) 10.10.10.3 SERVER3 netmask 255.255.255.255
I have then created an access-list to permit access to the SERVERS
network-group:
access-list outside_access_in extended permit tcp any object-group
SERVERS eq http
For some reason when external users connect to the outside 10.x.x.x
they are not permitted. I'm guessing this because the access-list
mentions the INSIDE names - not the OUTSIDE NAT addresses. I suppose
my question is what order is the traffic processed? NAT or access-
list?
Should my network group really contain the OUTSIDE NAT addresses of
the servers?
Many thanks,
Paul |
|
| Back to top |
|
 |
|
|
mcaissie
Guest
|
| Posted: Tue Oct 16, 2007 1:11 am Post subject: Re: PIX access-lists and static NAT |
|
|
<thefunnel@aol.com> wrote in message
news:1192477282.019795.233170@i38g2000prf.googlegroups.com...
| Quote: | Hi,
I would like to secure an inbound access-list on a PIX 525 running
software version 8.
Hosts on the outside will connect to 3 servers on the inside for WWW.
This will involve an explicit access rule and NAT.
The servers are named and grouped:
name 192.168.1.1 SERVER1
name 192.168.1.2 SERVER2
name 192.168.1.3 SERVER3
object-group network SERVERS
network-object host SERVER1
network-object host SERVER2
network-object host SERVER3
Static NAT is used to map the outside 10.x.x.x addresses to 192.x.x.x.
on the inside:
static (inside,outside) 10.10.10.1 SERVER1 netmask 255.255.255.255
static (inside,outside) 10.10.10.2 SERVER2 netmask 255.255.255.255
static (inside,outside) 10.10.10.3 SERVER3 netmask 255.255.255.255
I have then created an access-list to permit access to the SERVERS
network-group:
access-list outside_access_in extended permit tcp any object-group
SERVERS eq http
For some reason when external users connect to the outside 10.x.x.x
they are not permitted. I'm guessing this because the access-list
mentions the INSIDE names - not the OUTSIDE NAT addresses. I suppose
my question is what order is the traffic processed? NAT or access-
list?
Should my network group really contain the OUTSIDE NAT addresses of
the servers?
Many thanks,
Paul
|
The access-group is processed before the NAT , so yes your network group
should contain the translated addresses. |
|
| Back to top |
|
|
|
|
