NAT bypass errors

**ps3cheats** · 25-Mar-2007, 10:45 PM

I am having a problem getting two companies in the same building to talk to each other consistently. Each company is protected by it's own PIX, but share a common DMZ and T1 line to the outside world.

A 3rd perimeter firewall runs pfSense, a FreeBSD based version of pf. This firewall performs all of the real NATing of the /27 block of public IP addresses into private IP addresses for the two companies. I chose not to NAT the two company networks so that the syslog files would show exactly what was going on.

The DMZ has a single device in it at the moment. It is a Cisco 1841 router used to establish a VPN. Much more is to come over the next two years. Company A is all Windows. Company B is Netware and Linux.

All access to the internet works well, including a VPN we initiate between Company B and a Vendor.

The problem is reliably connecting Company A and B to each other. This is primarily between Company B's Novell server and anyone trying to connect to it. There are no problems running programs, accessing files and even mssql database connections from B --> A. But A --> B is sporadic. Sometimes I can access Novell, other times not.

The syslog shows that we are commonly getting: Error 3-305005: No translation group found for ...
... and then it lists udp, tcp and icmp src and dst addresses and ports.

The packet that I suspect is CURRENTLY stopping access is a udp src port 1025 to Novell server udp port 427, an attempt to find the servers. It isn't happening. As a result, Company A cannot see that an NDS tree exists.

I can still ping Company B WinXP boxes and their linux box from the Company A side, but not the Novell box. ???

Identity NAT vs NAT Exemption
----------------------------------------------------------------------
While the error appears specific, I think the actual configs are the real culprits, or more accurately, my ignorance is. Not NATing on a PIX appears to have more opinions and options than proven methods.

It was my understanding that if you NAT 0 a network the way that I have, that you do not need to setup a global or static command. At this point, all of the reading that I've done has simply confused me.

I've read Aaron Brady's page (insom.me.uk - Aaron Brady) regarding PIX without NAT. I understand now that I set up "Identity NAT" whereas he describes "NAT Exemption". Which should I setup, and why is this current config unreliable? Is there a better methodolgy to accomplish the desired results.

The Desired Result:

1) Company A should have unhindered access to Company B and the internet.

2) Company B should have unhindered access to Company A, the VPN and the
internet. (I intend to setup access lists to lock down the two sides
after the Netware server has been replaced.)

3) NOTHING should be able to initiate access to the DMZ, Company A or B at
this time.

NOTE: Also saw this very helpful page: http://book.itzero.com/read/cisco/0510/Cisco.Press.Cisco.ASA.All-in-One.Firewall.IPS.and.VPN.Adaptive.Security.Appliance.Oct.2005.eBook-DDU_html/1587052091/ch05lev1sec6.html

*** Networks ***
Public: 1.2.3.4.0/27
DMZ: 192.168.5.0/24
Company A: 192.168.10.0/24
Company B: 192.168.111.0/24

*** Interfaces ***
pfSense perimeter firewall - outside address: 1.2.3.4
dmz (inside) address: 192.168.5.1

Company A PIX 515 - dmz (outside) address: 192.168.5.10
inside address: 192.168.10.1

Company B PIX 501 - dmz (outside) address: 192.168.5.20
inside address: 192.168.111.1

1841 for VPN - 192.168.5.22 is NATed to 1.2.3.22 by pfSense.
12.23.34.45 and 12.23.34.46 require VPN access.

This is a cleaned up version of CompanyA's PIX 515 config.
======================================================================
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto

nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname CompAPIX
domain-name CompanyA.com

access-list lan_out permit ip 192.168.10.0 255.255.255.0 any
access-list dmz-in permit ip 192.168.111.0 255.255.255.0 any
access-list dmz-in permit udp host 192.168.5.1 any eq syslog
access-list dmz-in permit udp host 192.168.10.1 any eq syslog

logging on
logging trap notifications
logging facility 17
logging device-id hostname
logging host inside 192.168.10.126

icmp permit any outside
icmp permit any inside

ip address outside 192.168.5.10 255.255.255.0
ip address inside 192.168.10.1 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400

nat (inside) 0 192.168.10.0 255.255.255.0 0 0

access-group dmz-in in interface outside
access-group lan_out in interface inside

route outside 192.168.111.0 255.255.255.0 192.168.5.20 1

This is a cleaned up version of CompanyB's PIX 501 config.
======================================================================
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full

nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname CompBPIX
domain-name CompanyB.com

access-list lan_out permit ip 192.168.111.0 255.255.255.0 any
access-list dmz-in permit ip 192.168.10.0 255.255.255.0 any

logging on
logging trap notifications
logging facility 18
logging device-id hostname
logging host outside 192.168.10.126

icmp permit any outside
icmp permit any inside

ip address outside 192.168.5.20 255.255.255.0
ip address inside 192.168.111.1 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400

nat (inside) 0 192.168.111.0 255.255.255.0 0 0

access-group dmz-in in interface outside
access-group lan_out in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.5.1 1
route outside 12.23.34.45 255.255.255.255 192.168.5.22 1
route outside 12.23.34.46 255.255.255.255 192.168.5.22 1
route outside 192.168.10.0 255.255.255.0 192.168.5.10 1

**ps3cheats** · 25-Mar-2007, 10:45 PM

I would advise you to change your configuration from using identity NAT to NAT exemption. The problem with your current configuration is that since you are using identity NAT, the ability to reach a server/host from each PIX will depend whether there is an existing translation entry for a server on the PIX. For instance,

WS1 ----------PIX A ---------------PIX B-------------WS2

Let's assume that this is a brand new setup and that neither host has passed through the PIX, meaning xlate table of PIX is empty. All inbound traffic and outbound traffic on both firewall is allowed. If WS2 tries to access WS1, PIX B creates a translation entry for WS2. PIX A sees the request, checks the rule and translation. Finds out that there is a rule but WS1 has no xlate entry. PIX A will deny traffic saying no translation found. WS1 now tries to access WS2, PIX A creates a translation for WS1 and PIX B receives the request. PIX B checks the rule and translation and will find that the rule is allowing the traffic and finds an *existing* translation for WS2 (created from WS2's previous connection attempt to WS1). PIX B will allow the connection. Since xlate has been created for both WS, the next connection attempt from WS2 to WS1 will succeed for the duration of the xlate entry. Once the xlate has timed out as controlled by the xlate timeout settings, then the connection will fail unless the same process as describe above takes place.

If you need unhindered access between the two PIX network, you will have to change your configuration to either NAT exception or static NAT.

e.g

On PIX A:

access-list 150 permit ip 192.168.10.0 255.255.255.0 192.168.111.0 255.255.255.0
nat (inside) 0 access-list 150
clear xlate

On PIX B:
access-list 150 permit ip 192.168.111.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list 150
clear xlate

25-Mar-2007, 10:45 PM	#1 (permalink)
ps3cheats Fixed Error! Posts: 1,497 Join Date: Mar 2007 Rep Power: 3 IM:	NAT bypass errors I am having a problem getting two companies in the same building to talk to each other consistently. Each company is protected by it's own PIX, but share a common DMZ and T1 line to the outside world. A 3rd perimeter firewall runs pfSense, a FreeBSD based version of pf. This firewall performs all of the real NATing of the /27 block of public IP addresses into private IP addresses for the two companies. I chose not to NAT the two company networks so that the syslog files would show exactly what was going on. The DMZ has a single device in it at the moment. It is a Cisco 1841 router used to establish a VPN. Much more is to come over the next two years. Company A is all Windows. Company B is Netware and Linux. All access to the internet works well, including a VPN we initiate between Company B and a Vendor. The problem is reliably connecting Company A and B to each other. This is primarily between Company B's Novell server and anyone trying to connect to it. There are no problems running programs, accessing files and even mssql database connections from B --> A. But A --> B is sporadic. Sometimes I can access Novell, other times not. The syslog shows that we are commonly getting: Error 3-305005: No translation group found for ... ... and then it lists udp, tcp and icmp src and dst addresses and ports. The packet that I suspect is CURRENTLY stopping access is a udp src port 1025 to Novell server udp port 427, an attempt to find the servers. It isn't happening. As a result, Company A cannot see that an NDS tree exists. I can still ping Company B WinXP boxes and their linux box from the Company A side, but not the Novell box. ??? Identity NAT vs NAT Exemption ---------------------------------------------------------------------- While the error appears specific, I think the actual configs are the real culprits, or more accurately, my ignorance is. Not NATing on a PIX appears to have more opinions and options than proven methods. It was my understanding that if you NAT 0 a network the way that I have, that you do not need to setup a global or static command. At this point, all of the reading that I've done has simply confused me. I've read Aaron Brady's page (insom.me.uk - Aaron Brady) regarding PIX without NAT. I understand now that I set up "Identity NAT" whereas he describes "NAT Exemption". Which should I setup, and why is this current config unreliable? Is there a better methodolgy to accomplish the desired results. The Desired Result: 1) Company A should have unhindered access to Company B and the internet. 2) Company B should have unhindered access to Company A, the VPN and the internet. (I intend to setup access lists to lock down the two sides after the Netware server has been replaced.) 3) NOTHING should be able to initiate access to the DMZ, Company A or B at this time. NOTE: Also saw this very helpful page: http://book.itzero.com/read/cisco/0510/Cisco.Press.Cisco.ASA.All-in-One.Firewall.IPS.and.VPN.Adaptive.Security.Appliance.Oct.2005.eBook-DDU_html/1587052091/ch05lev1sec6.html * Networks * Public: 1.2.3.4.0/27 DMZ: 192.168.5.0/24 Company A: 192.168.10.0/24 Company B: 192.168.111.0/24 * Interfaces * pfSense perimeter firewall - outside address: 1.2.3.4 dmz (inside) address: 192.168.5.1 Company A PIX 515 - dmz (outside) address: 192.168.5.10 inside address: 192.168.10.1 Company B PIX 501 - dmz (outside) address: 192.168.5.20 inside address: 192.168.111.1 1841 for VPN - 192.168.5.22 is NATed to 1.2.3.22 by pfSense. 12.23.34.45 and 12.23.34.46 require VPN access. This is a cleaned up version of CompanyA's PIX 515 config. ====================================================================== PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname CompAPIX domain-name CompanyA.com access-list lan_out permit ip 192.168.10.0 255.255.255.0 any access-list dmz-in permit ip 192.168.111.0 255.255.255.0 any access-list dmz-in permit udp host 192.168.5.1 any eq syslog access-list dmz-in permit udp host 192.168.10.1 any eq syslog logging on logging trap notifications logging facility 17 logging device-id hostname logging host inside 192.168.10.126 icmp permit any outside icmp permit any inside ip address outside 192.168.5.10 255.255.255.0 ip address inside 192.168.10.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 nat (inside) 0 192.168.10.0 255.255.255.0 0 0 access-group dmz-in in interface outside access-group lan_out in interface inside route outside 192.168.111.0 255.255.255.0 192.168.5.20 1 This is a cleaned up version of CompanyB's PIX 501 config. ====================================================================== PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname CompBPIX domain-name CompanyB.com access-list lan_out permit ip 192.168.111.0 255.255.255.0 any access-list dmz-in permit ip 192.168.10.0 255.255.255.0 any logging on logging trap notifications logging facility 18 logging device-id hostname logging host outside 192.168.10.126 icmp permit any outside icmp permit any inside ip address outside 192.168.5.20 255.255.255.0 ip address inside 192.168.111.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 nat (inside) 0 192.168.111.0 255.255.255.0 0 0 access-group dmz-in in interface outside access-group lan_out in interface inside route outside 0.0.0.0 0.0.0.0 192.168.5.1 1 route outside 12.23.34.45 255.255.255.255 192.168.5.22 1 route outside 12.23.34.46 255.255.255.255 192.168.5.22 1 route outside 192.168.10.0 255.255.255.0 192.168.5.10 1

25-Mar-2007, 10:45 PM	#2 (permalink)
ps3cheats Fixed Error! Posts: 1,497 Join Date: Mar 2007 Rep Power: 3 IM:	Re: NAT bypass errors I would advise you to change your configuration from using identity NAT to NAT exemption. The problem with your current configuration is that since you are using identity NAT, the ability to reach a server/host from each PIX will depend whether there is an existing translation entry for a server on the PIX. For instance, WS1 ----------PIX A ---------------PIX B-------------WS2 Let's assume that this is a brand new setup and that neither host has passed through the PIX, meaning xlate table of PIX is empty. All inbound traffic and outbound traffic on both firewall is allowed. If WS2 tries to access WS1, PIX B creates a translation entry for WS2. PIX A sees the request, checks the rule and translation. Finds out that there is a rule but WS1 has no xlate entry. PIX A will deny traffic saying no translation found. WS1 now tries to access WS2, PIX A creates a translation for WS1 and PIX B receives the request. PIX B checks the rule and translation and will find that the rule is allowing the traffic and finds an existing translation for WS2 (created from WS2's previous connection attempt to WS1). PIX B will allow the connection. Since xlate has been created for both WS, the next connection attempt from WS2 to WS1 will succeed for the duration of the xlate entry. Once the xlate has timed out as controlled by the xlate timeout settings, then the connection will fail unless the same process as describe above takes place. If you need unhindered access between the two PIX network, you will have to change your configuration to either NAT exception or static NAT. e.g On PIX A: access-list 150 permit ip 192.168.10.0 255.255.255.0 192.168.111.0 255.255.255.0 nat (inside) 0 access-list 150 clear xlate On PIX B: access-list 150 permit ip 192.168.111.0 255.255.255.0 192.168.10.0 255.255.255.0 nat (inside) 0 access-list 150 clear xlate

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)