Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Cisco Pix - NAT problem

Options
  • 22-06-2006 2:01pm
    #1
    GenericName
    Registered Users Posts: 104 ✭✭


    Hi guys,

    I have a question relating to Cisco Pix and I'm hoping someone with Cisco router experience may be able to me.

    I'm installing some servers on-site with a South East Asian mobile operator. I need the network admins on their side to route TCP traffic from 2 public IPs to the local IP of my machine. Now I've not got a huge amount of experience with networking, but to me this sounds like pretty basic NAT, right?

    However, they are telling me that it is impossible. They can route outgoing traffic from two local IPs to one single public IP but not the opposite. All I know is that it's a Cisco router and the NAT rules are being added using Cisco Pix software. Can anyone confirm that with the scenario I've described above is impossible with this Cisco set up?

    One of the public IPs is registered to a URL on a DNS so could this be used instead somehow?

    Thanks guys.


Comments

  • Options
    #2
    _CreeD_
    Registered Users Posts: 4,150 ✭✭✭_CreeD_


    I havent' dealt with PIX myself but off the top of my head -
    They don't need to route the packets, that will happen automatically, all they need to do is allow packets from those 2 address to come in, but also use ACLs (Or advanced if you can give them the protocols you will be needing from those servers to reduced traffic/increase security) to make sure that your machine is the ONLY allowed destination for those packets. Basically they create a pinhole on the PIX and an inbound ACL to only allow packets with the servers as source and yours as the destination on the perimeter router. There may be a better way to do it but with my limited experience this is what I'd try.

    Edit: Btw NAT has nothing to do with routing specifically. It provides ways to map one IP address transparently to another. ie. A packet sent with one IP address has the source id change to another. If they are using Port Overloading, ie. not a specifically defined mapping or Dynamic pool then I doubt they could add a static map for the addresses you need. Again as long as you are just talking about routing the information NAT doesn't come into it, but if you really meant that you wanted requests to those IPs to wrap back around to your server then thats a whole different ballgame.


  • Options
    #3
    GenericName
    Registered Users Posts: 104 ✭✭GenericName


    Well I'm expecting HTTP POST and GET requests destined for 202.x.x.11 and 202.x.x.12 to be routed by the firewall (Cisco PIX) to my local IP 10.32.110.23.

    An inbound many-to-one relationship. So does this fall into a 'whole different ballgame'?


    Sorry if my explanation is not too clear. It's pretty much my first time working with networks. So thanks for the help and do bare with me!


  • Options
    #4
    GenericName
    Registered Users Posts: 104 ✭✭GenericName


    I've come up with the following:

    nat (inside) 1 10.32.113.13 255.255.255.0
    global (outside) 1 202.x.x.11-202.x.x.12

    Can anyone tell me if it is valid? I need to be sure before I recommend a solution to them.


  • Options
    #5
    Sponge Bob
    Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    can you not have 2 x inside addresses on the one network card and 2 x 1:1 NATs .

    the NIC on the web server can answer to 2 addresses at a time . Simple.


  • Options
    #6
    GenericName
    Registered Users Posts: 104 ✭✭GenericName


    Hmmm, to be specific I'm installing two servers, not one. They are to be installed in a redundant configuration with a virtual IP. We are using Linux HA (Heartbeat).

    I haven't looked into it, but if we can use two virtual IPs than yes, your suggestion would work.


  • Advertisement
  • Options
    #7
    _CreeD_
    Registered Users Posts: 4,150 ✭✭✭_CreeD_


    You still have to specify which Interface is the inside and which the outside for NAT operations, and from what you've described you need to have an alternate config. to the one they would already be using (since you need both interfaces to really be inside the network, I don't know (But doubt) if PIX can handle 2 separate NAT setups (no mappings, actual directions) based on IP). Since you're dealing with HTTP/Web services are you definitely needing to use the IP? Can you not just get them to modify their DNS server to point back to your internal IP's instead, or map it manually in the HOSTS file?


  • Options
    #8
    Sponge Bob
    Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    _CreeD_ wrote:
    You still have to specify which Interface is the inside and which the outside for NAT operations, and from what you've described you need to have an alternate config. to the one they would already be using (since you need both interfaces to really be inside the network, I don't know (But doubt) if PIX can handle 2 separate NAT setups (no mappings, actual directions) based on IP). Since you're dealing with HTTP/Web services are you definitely needing to use the IP? Can you not just get them to modify their DNS server to point back to your internal IP's instead, or map it manually in the HOSTS file?

    PIX OS can handle hundreds if not thousands of one on one nats. like 194.125.100.230 nats to 192.168.1.3 while 194.125.100.231 nats to 192.168.1.4

    It can only handle one HIDE address NAT , eg

    194.125.100.230 nats to 192.168.1.1

    which is a whole subnet of 256 addresses like.

    so.

    name 194.125.100.230 web1_out
    name 192.168.1.3 web1_in
    name 194.125.100.231 web2_out
    name 192.168.1.4.230 web2_in

    Then allow traffic on port 80 to traverse from web1_out to web1_in and same for web2 , you need not have a rule for traversing back out.

    its something like ip nat web1_out web1_in

    to link them and same for web2

    Then open the ports

    allow tcp host web1_out source any eq 80
    allow tcp host web1_out source any eq 443 (ssl)

    and


    allow udp host web1_out source any eq 80
    allow udp host web1_out source any eq 443 (ssl)

    After the one on one nats are setup do the round robin or failover in an outside DNS which will load balance it for you

    roudn robin load balances 50:50 across both, if one goes the other is up]
    failover . there is a different cisco gizmo not a pix or an ids which would be behind a pix and which would only send traffic to a server where port 80 was alive , cant remember what its called.


  • Options
    #9
    _CreeD_
    Registered Users Posts: 4,150 ✭✭✭_CreeD_


    Looks like "I havent' dealt with PIX myself but off the top of my head " was accurate enough :). It's on my list of things to study but it'll be a while before I get to PIX stuff.
    Anyway, good to know.


  • Options
    #10
    wandererz
    Registered Users Posts: 2,592 ✭✭✭wandererz


    If all you need to do is allow inbound traffic to your IP address from one or more machines behind their firewall, then:

    1) NAT your private address behind a single Public Address (one to one, static NAT)
    2) Create an access list to allow inbound traffic from their firewall's Public address to your server's Public NAT'ed address above.

    3) Provide them with the your PC's server's NAT address address to them

    ....or am i missing something here ???


Advertisement