NAT, how do I do this on PIX?

[VulakAerr]

I am trying to get my head around NAT on PIX firewalls. I have not been using it for long, but am I correct in thinking that I can forward external addresses other than the one on my outside network adapter? For example, if I currently have 113.131.172.XXX as the external address of my firewall but also want to forward packets addresses to 113.131.172.YYY to a machine inside the firewall, how do I accomplish this?

I have a limited understanding of how to do this, and would gladly check the manual more thoroughly and do trial and error (which is my usual technique with PIX so far) but I only have a limited time to come up with a solution. Any help would be greatly appreciated.

 

[cchipman]

Vulak, static one-to-one mapping of external to internal ip addresses are done through a (amusingly enough) "static" command

Usage is easy:

static [(internal_if_name, external_if_name)] {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]  [<max_conns> [<emb_limit> [<norandomseq>]]]

the internal_if_name and external_if_name are usually "inside" and "outside" respectively.

The global_ip field is the ip address to use for this static mapping (you can use the "interface" keyword to tell it to use the interface, i.e. the routers outside ip address). The local_ip is the ip address to map to on the inside of the pix.

the dns field is an optional one, which would tell the PIX to send and update to a DNS server with an IP address if so desired.

the other fields are rarely used, and you can check them out in the documentation.


ex:

static (inside, outside) 65.66.67.68 10.0.0.1 netmask 255.255.255.255 0 0


Now, this won't allow packets through, but will only ensure that you have a one-to-one mapping of internal to external ip addresses.

To allow traffic through you'll have to set up an access list and access-groups. those are a bit more complicated, and the manual should be checked.

 

[VulakAerr]

Thank you very much for your response. The only thing I am having difficulties understanding (I've done static and access lists etc before), is how this works for addresses other than the external one of the firewall.

I just don't understand how I can assign more than one IP address to the outside adapter so that it forwards to the internal network. I have 6 public addresses to use, one of which is used by the outside interface of the firewall, but want to use another one for NAT. That's where my understanding stops. Just an explanation of whether or not the static command coupled in with the global command can accomplish this will do fine. Thank you in advance.

 

[cchipman]

Yah, it'll work.

Basically it works because when a IP device is trying to send a packet to another IP device that it doesn't know the MAC address for (we're assuming ethernet here) it sends out an ARP request (Address Resolution Protocol). When the device sees an ARP request, it check itself ("Self?&quot and see if that's an IP Address it owns. If it is, the device responds to the ARP request with and ARP reply packet, which gives the requester the MAC address of the device.

In our case, the PIX will respond to any ARP request on its outside interface that has one of the addresses you've either used for your NAT, your Pat, your interface, or in a static command.

 

[VulakAerr]

That makes more sense. It even brings back glimmers of knowledge from a Cisco router course I went on way back when. Thank you very much for your help and explanation.