I have a host in a lower security level, 10, needing to reach a host in a higher security level, 100. I'll say DMZ to Inisde. I originally tried an ACL to allow the traffic with a no nat exemption but I found nonat is not applied when going from a lower to higher security level and it attempts to send the traffic out the outside interface I could see using the packet-tracer command.
With this, I went for a 1 to 1 NAT with an ACL allowing the traffic which looks like it would work if there wasn't asymmetric routing on the return traffic. So I need the source IP also natted to, say, the inside interface IP so the return traffic will come back through this PIX rather than the inside hosts GW. I have done this on an ASA before which I believe is called twice NAT but I cannot find the syntax for a PIX if it is even possible. Current setup detailed below.
dmz host: Z.Z.Z.171
inside host: Y.Y.Y.234
----scrubbed current relevant config----
interface Ethernet0 nameif outside security-level 0 ip address X.X.X.2 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address Y.Y.Y.230 255.255.0.0 ! interface Ethernet2 nameif dmz security-level 10 ip address Z.Z.Z.1 255.255.255.0 ! nat (inside) 0 access-list nonat_inside nat (inside) 1 0.0.0.0 0.0.0.0 nat (dmz) 0 access-list nonat_dmz nat (dmz) 1 0.0.0.0 0.0.0.0 global (outside) 1 interface global (dmz) 1 interface ! static (inside,dmz) Z.Z.Z.182 Y.Y.Y.182 netmask 255.255.255.255 ! access-list inside_acl extended permit ip any any access-list dmz_acl extended permit ip host Z.Z.Z.171 host Y.Y.Y.182 access-group inside_acl in interface inside access-group dmz_acl in interface dmz ----current trace forward flow----
PIX#packet-tracer input dmz icmp Z.Z.Z.171 0 0 Y.Y.Y.182 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: static (inside,dmz) Z.Z.Z.182 Y.Y.Y.182 netmask 255.255.255.255 match ip inside host Y.Y.Y.182 dmz any static translation to Z.Z.Z.182 translate_hits = 0, untranslate_hits = 3 Additional Information: NAT divert to egress interface inside Untranslate Z.Z.Z.182/0 to Y.Y.Y.182/0 using netmask 255.255.255.255 Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group dmz_acl in interface dmz access-list dmz_acl extended permit ip host Z.Z.Z.171 host Y.Y.Y.182 Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 7 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (dmz) 1 0.0.0.0 0.0.0.0 match ip dmz any outside any dynamic translation to pool 1 (X.X.X.2 [Interface PAT]) translate_hits = 7005, untranslate_hits = 847 Additional Information: Phase: 8 Type: NAT Subtype: rpf-check Result: ALLOW Config: static (inside,dmz) Z.Z.Z.182 Y.Y.Y.182 netmask 255.255.255.255 match ip inside host Y.Y.Y.182 dmz any static translation to Z.Z.Z.182 translate_hits = 0, untranslate_hits = 3 Additional Information: Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 148178257, packet dispatched to next module Phase: 10 Type: ROUTE-LOOKUP Subtype: output and adjacency Result: ALLOW Config: Additional Information: found next-hop Y.Y.Y.182 using egress ifc inside adjacency Active next-hop mac address Y.Y.Y hits 1 Result: input-interface: dmz input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow Side note: I'm in a network migration off this old gear and eliminating this asymmetric mess I inherited but this is needed in the meantime.
Thanks!
No comments:
Post a Comment