Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Pix - Can you perform PAT on a static nat.

from [Spigga] Network Security [Permanent Link]
Subject: Re: Pix - Can you perform PAT on a static nat.
Date: Wed, 30 Mar 2005 09:12:51 -0600 
You need to use ACL's for your nat, you only want to static nat
traffic between 1.x and 10.x

example 
access-list static_nat permit ip 10.0.0.0 255.255.255.0 1.0.0.0 255.255.255.0
static (inside,outside) 10.0.0.0 access-list static_nat 

then for internet traffic PAT them

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0 

This will statically nat traffic between the offices but PAT traffic
bound anywhere else.  You will need 6.3 or later i think

On Fri, 18 Mar 2005 18:10:37 +0000, Ben Hicks <ben.hicks@tricura.com> wrote:

Hi list,
  This is my first post so apologies if my post offends any one in any
way :) I'm currently trying to setup a management connection to a pix
VPN network with the unfortunate situation of overlapping address space.
At present the current setup consists of sites using 3 pix 501s (on
adsl) to connect two sites to a master site.

Pix B ------ www ----- Pix A  ----- www ----- Pix C

Pix A = 10.0 /24
Pix B = 10.1 /24
Pix C = 10.2 /24

Pix D = 10.{1,2,3} / 24

This setup as it is works fine with IPSEC Vpns. What I need to be able
to do is to make each  these sites unique to a fourth site (my office -
pix D) who already has the 10.X ranges defined and in use. I though the
best way to proceed would be to use static nattings. We already have our
workstations statically mapped behind pix D to provide us with unique
public IP addresses (1.1.1/24). I decided to use the range 10.250.X /24
for mapping the networks of Pix A, B and C. For example 10.0.0.1 on PIX
A becomes 10.250.0.1 and 10.1.0.1 becomes 10.250.1.1 etc. So I
configured a workstation on the fourth site to nat to a public address.
And then route to an address of 10.250.0.0 via an IPSEC VPN to pix A.
Pix A then has a static mapping
"static (inside,outside) 10.25.0.0 10.0.0.1 255.255.255.0" which then
translates 10.250.0.1 to 10.0.0.1.  So just to clarify a ping to
10.250.0.1 goes ....

1) 10.2.0.21 --> 10.250.0.1
(pix - inside)
2) 10.2.0.21 changes to 1.1.1.1 --> 10.250.0.1
(Ipsec VPN)
3) 10.250.0.1 --> 10.0.0.1

As far as the device 10.0.0.1 is concerned it gets a ping from 1.1.1.1
and as far as my pc is concerned it gets a reply form 10.250.0.1. This
all works fine. And I can connect to this site quite happily. The only
problem I am having is that the devices behind PIX A are now statically
mapped to the outside interface on 10.250.0.X and I am unable to get any
of them to browse the internet. I've tried all sorts of PAT / Nat config
to get this to work but I don't seem to be able to nat from the outside
interface out to the internet. Is this something that is possible or
have i just gone about this whole scenario in a bizarre and twisted way?

Apologies if my description makes no sense, please be gentle :)

Cheers,

Ben

This message has been scanned for viruses by MailController - 
www.MailController.altohiway.com

--------------------------------------------------------------------------
FREE Download - The Future in Desktop Firewalls is Available Now

NEW NetOp Desktop Firewall, the world's first driver-centric
firewall software - protecting your laptops and corporate PCs at
ring-zero! NetOp features sophisticated process & application
control, centralized management and multiple network user profiles -
NetOp is able to increase security when mobile users plug back
into your network. Step into a more secure future - Try it FREE
http://www.securityfocus.com/sponsor/CrossTec_firewalls_050315
--------------------------------------------------------------------------




--------------------------------------------------------------------------
FREE Download - The Future in Desktop Firewalls is Available Now
 
NEW NetOp Desktop Firewall, the world's first driver-centric 
firewall software - protecting your laptops and corporate PCs at  
ring-zero! NetOp features sophisticated process & application
control, centralized management and multiple network user profiles -
NetOp is able to increase security when mobile users plug back 
into your network. Step into a more secure future - Try it FREE
http://www.securityfocus.com/sponsor/CrossTec_firewalls_050315
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: VPN ROUTING, Matt Ostiguy
Next by Date:  yahoo messenger voice, paul
Previous by Thread:  Pix - Can you perform PAT on a static nat., Ben Hicks
Next by Thread:  Firewall and IDS Solution, NetEng
Indexes:  [Date] [Thread] [Top] [All Lists]