Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: pix translation issue

pix translation issue 9 years 7 months ago #21471

  • lomaree
  • lomaree's Avatar
  • Offline
  • Frequent Member
  • Posts: 21
  • Karma: 0
hello,

suppose there is one host who is accessing two different servers in the network.

when host A access to host B all we have to do is make sure that it gets to talk to it one to one thus i configure this

static (inside,outside) tcp 60.10.135.72 3392 20.172.216.4 3392 netmask 255.255.255.255
static (inside,outside) tcp 60.10.135.72 3394 20.172.216.4 3394 netmask 255.255.255.255

access-list acl_out_in permit tcp host 20.172.216.4 host 60.10.135.72 eq 3392
access-list acl_out_in permit tcp host 20.172.216.4 host 60.10.135.72 eq 3394

and host A can connect to host B with success no problem at all.

Now, when host A try to connect to host C we not only have to nat/translate the source IP of this host but also the like host B scenario that it should be one to one with it, so i configure the following

static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255
static (inside,outside) 60.10.136.72 16.172.23.1 netmask 255.255.255.255

access-list acl_out_in permit tcp host 60.10.136.72 host 20.172.220.4 eq 6003

host A connects to host C successful and no problem.

the issue i have here is that when i see the netstat of host B it shows that the host A (remote host ip address is) 20.172.220.4 whereas it should be it orginal source ip address.

so is there a way it can be done or is it the firewall itself that it's not possible and it would be causing any problem in connection, cuz currently on random times the connection drops automaticaly btw host A and host B, so i assume it is because of this issue.

any help would be great
The administrator has disabled public write access.

Re: pix translation issue 9 years 7 months ago #21506

  • lavage
  • lavage's Avatar
  • Offline
  • New Member
  • Posts: 12
  • Karma: 0

static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255
static (inside,outside) 60.10.136.72 16.172.23.1 netmask 255.255.255.255

access-list acl_out_in permit tcp host 60.10.136.72 host 20.172.220.4 eq 6003

host A connects to host C successful and no problem.

the issue i have here is that when i see the netstat of host B it shows that the host A (remote host ip address is) 20.172.220.4 whereas it should be it orginal source ip address.
why you need 2 static NATs here?
and what do you mean by "orginal source ip address"?
The administrator has disabled public write access.

Re: pix translation issue 9 years 7 months ago #21512

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
I think the problem here is the way that the (inside,outside) has been used in the static command.

Set them the same way (inside,outside) and see if the same problem exists.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: pix translation issue 9 years 6 months ago #21581

  • lomaree
  • lomaree's Avatar
  • Offline
  • Frequent Member
  • Posts: 21
  • Karma: 0
hi smurf,

could you please explain your answer i didn't understood it.
thanks
The administrator has disabled public write access.

Re: pix translation issue 9 years 6 months ago #21585

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
I cannot remember the relevance of the way that you specify;

[code:1]static (inside,outside)
static (outside,inside)[/code:1]

If i have time i will check but i noticed that you have done the command using inside,outside and then outside,inside.

Hope it helps, if you want me to read up on it and provide a more detailed explination of the relevance between the way that its specified then let me know (or if someone else knows off the top of their head then please reply)

cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: pix translation issue 9 years 6 months ago #21589

  • lomaree
  • lomaree's Avatar
  • Offline
  • Frequent Member
  • Posts: 21
  • Karma: 0
hello,

thanks for the reply, to be honest i have been working on it since a week now but in vain. i t would be great if i could get someone to help me out in this. anyways if you can find time to work on it please do, thanks in advance.

by the way i have tired using Policy NAT instead of Static NAT but i still wana know as per my question why it gave problem.
The administrator has disabled public write access.
Time to create page: 0.086 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup