Network Security: Detailed info on Re: PIX 6.2(2) behaviour for traffic from lower to higher level

Subject:	Re: PIX 6.2(2) behaviour for traffic from lower to higher level
Date:	Wed, 27 Sep 2006 11:43:58 -0700

Amol Sapkal wrote:

Hi all, I am working on a lab PIX loaded with 6.2(2) Here is the BASE configuration: -------------------------------------------------------- nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50 ip address outside 200.200.200.2 <http://200.200.200.2> 255.255.255.0 <http://255.255.255.0> ip address inside 21.21.21.2 <http://21.21.21.2> 255.255.255.0 <http://255.255.255.0> ip address DMZ 22.22.22.2 <http://22.22.22.2> 255.255.255.0 <http://255.255.255.0> Host A on DMZ: 22.22.22.3 <http://22.22.22.3> (g/w: DMZ IP) Host B on inside: 21.21.21.3 <http://21.21.21.3> (g/w: inside IP) ACL applied: access-list acl-dmz permit icmp any any echo access-list acl-dmz permit icmp any any echo-reply access-group acl-dmz in interface DMZ -------------------------------------------------------- ############## *Condition1: (No nat0 or static command and XLATE table is empty)* If I initiate a ping from A to B (lower to higher), I get the translation error:

*305005: No translation group found for icmp src DMZ:22.22.22.3 <http://22.22.22.3> dst inside:21.21. 21.3 (type 8, code 0)*

*Condition2: (nat0 for DMZ subnet)* I add the below to BASE config: nat (inside) 0 21.21.21.0 <http://21.21.21.0> 255.255.255.0 <http://255.255.255.0> I still get the 305005 error. *Condition3: (no nat0 or static command)* I add these to BASE configs:

PIX-515(config)# nat (DMZ) 1 22.22.22.3 <http://22.22.22.3> 255.255.255.255 <http://255.255.255.255>

PIX-515(config)# global (inside) 1 22.22.22.3 <http://22.22.22.3> 255.255.255.255 <http://255.255.255.255> (dmz to inside translation)
Still, I get the 305005 error.
*Condition3: (no nat0, but static command for dmz host B)*
I add the following command
static (dmz,inside) 22.22.22.3 <http://22.22.22.3> 22.22.22.3 <http://22.22.22.3> netmask 255.255.255.255 <http://255.255.255.255> (static NATing A) Still, the error remains. ############## I am able to ping B from A only under below conditions: 1. nat (inside) 0 21.21.21.0 <http://21.21.21.0> (B's subnet) *........OR...* ** 2. static (inside,dmz) 21.21.21.3 <http://21.21.21.3> 21.21.21.3 <http://21.21.21.3> netmask 255.255.255.255 <http://255.255.255.255> (static NATing B) ############# AFAIK, an ACL on the DMZ (lower security) to allow ICMP should allow the ping. I just confirmed it on a 525 box running 7.0. What is going wrong in the three conditions above? Is my understanding incorrect?
--
Warm regards,
Amol Sapkal
-------------------------------------------------------------------
"When I'm not in my right mind, my left mind
gets pretty crowded"
-------------------------------------------------------------------

Okay! you need static entries, no nat required, although it is possible it seems convoluted for me for some reason.

static template is:

static(high1, low1) low2 high2 mask 0

high1 = interface with higher security level
low1 = interface with lower security level

low2 = IP address/subnet of the lower security level interface
high2 = IP address/subnet of the higher sec level interface

mask = subnet mask.

and then do straight forward ACLs this will help you.

Prabhu
-

<Prev in Thread]	Current Thread	[Next in Thread>
Re: PIX 6.2(2) behaviour for traffic from lower to higher level, Prabhu Gurumurthy <=

Previous by Date:	Re: Need firewall advice, johan
Next by Date:	RE: Need firewall advice, Steve Armstrong
Previous by Thread:	Need firewall advice, mattknows
Indexes:	[Date] [Thread] [Top] [All Lists]