On 11/9/07, kevin horvath wrote:
> > first, AFAIK they are not in conflict since the translate-from
> > address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?)

>
> they are. the access list for static pat stipulates the 10 net just
> as the static nat. Static nat wins over static pat.


well, actually, according to the cisco jargon at
http://www.cisco.com/en/US/docs/secu...html#wp1202525

these are BOTH "static nat" - the 2nd one is regular old
static nat and the 1st, with the access-list, is called "policy nat".
to qualify for the term "static pat" you would need the extra "tcp" or "udp"
keyword just after the (inside,outside).

>
> >
> > second, I think they are processed in order

>
> You are thinking as if its an access list (permit or deny) but it
> works more like routing where the more specific statement wins if they
> are the same type of translation. Since they aren't and one is static
> nat then it has more precedence.


[snip - they are both the same type so I think the nat precedence
rules you listed
are not too relevant]

I still say the statements seem non-conflicting, because the "mapped_ip"
[the IP address right after the (inside,outside)] is different. Reading
the Cisco docs, my understanding is that if a packet comes into the PIX
with a ip.destination of "mapped_ip" (or in the "mapped_ip" subnet)
then the pix translates that ip.destination
to what the "static" command tells it to - namely the "real_ip" in
regular static nat.

in sivakumar's example. the mapped_ip is 1.1.1.2 in the 1st static,
and 10.0.0.0 in the 2nd, so there is no conflict. Am I wrong?

However, I am confused about one thing in the policy nat. here is the exaple:

access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
static(inside,ouside) 1.1.1.2 access-list rule1 0 0

instead of just a real_ip subnet (as in the regular static),
the access-list in fact
has a subnet in the source field (10.0.0.0/8) and ANOTHER subnet in the
destination field (1.1.1.1/32)... so when a packet comes into the PIX
with ip.dest=1.1.1.2, how is it translated? using the source (10.0.0.0) or
the destination (1.1.1.1) in the ACL?

moreover, let's assume that the translate-to ip is the ACL's destination
(1.1.1.1 in this example) - what does the OTHER (source)
field do?

Can any PIX mavens out there shed some light?

PIXes are so weird.

Avishai
>
> >
> > On 11/6/07, sivakumar wrote:
> > >
> > > Hi,
> > >
> > > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
> > >
> > > static(inside,ouside) 1.1.1.2 access-list rule1 0 0
> > > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
> > >
> > > Please tell me which statement will take precedence - policy NAT ot Static
> > > NAT..
> > >
> > > --
> > > View this message in context: http://www.nabble.com/NAT-order-help...html#a13548213
> > > Sent from the Firewall Wizards mailing list archive at Nabble.com.
> > >
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards@listserv.icsalabs.com
> > > https://listserv.icsalabs.com/mailma...rewall-wizards
> > >

> >
> >
> > --
> > Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
> > http://www.algosec.com
> > ******* Firewall Management Made Smarter ******
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailma...rewall-wizards
> >

> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards
>



--
Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
http://www.algosec.com
******* Firewall Management Made Smarter ******
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards