Hopefully you can help me here and put me straight, I've spent the last two days trawling through documentation to find an answer.
OK the setup - 1 PIX 525, 3 interfaces - outside, inside & dmz.
I want 10 internet users (outside) to access a server on the dmz (private addressing for the DMZ), this is then proxied and a new session from the dmz to a server on the inside.
(btw, should mention we currently have NAT configured for inside users accessing the internet:
nat (inside) 10 126.96.36.199 255.0.0.0
global (ouside) 10 interface
For internet users accessing the dmz server should i be using a static nat statement for each user:
static (dmz,outside) <internet address> 192.168.4.4 netmask 255.255.255.255
Or is there another config I can use for destination NAT? Also, how do internet users route to this? do they route to the outside interface of the PIX and it picks up the static NAT?
I have seen reference to the NAT 'outside' but not sure if this is what I want and if it will effect my other NAT statements.
And the same principle would apply again for DMZ --> inside servers using static.
I have not test lab to try this out on so don't want to bring down the entire internet connection.
A one-to-one NAT translates a public IP address to a private IP address, all ports both TCP and UDP. The ACL is used to determine who can access that resource. The NAT statement is not for a particular user, it applies to all who can access it. An example might help explain.
I have a public IP address space of 188.8.131.52 /24. My PIX outside address is 184.108.40.206. I have a web server in the DMZ, its IP address is 192.168.1.10. If I want external users to access my web server I must first create a NAT translation.
static (dmz,outside) 220.127.116.11 192.168.1.10 netmask 255.255.255.255
Here I chose an IP address from my public address space to assign to the web server. Anyone trying to access the address of 18.104.22.168, the firewall translates it to 192.168.1.10. So what if I don't have any or few addresses? You can do port translations.
static (dmz,outside)tcp 22.214.171.124 80 192.168.1.10 80 netmask 255.255.255.255
Notice the IP is the same as the PIX's interface. You can also do this for any IP in your public address space. Even though we didnt change the ports, its still a port translation. You could also change the port.
static (dmz,outside)tcp 126.96.36.199 8080 192.168.1.10 80 netmask 255.255.255.255
In this example the outside user would have to enter http:/188.8.131.52:8080 and the firewall would translate it back to port 80 to the DMZ server.
Now for the ACL. This allows everyone to the webserver, but only on port 80.
access-list outside_access permit tcp any host 184.108.40.206 eq 80
But we only want our a business partner to see the website, so we tweak the ACL.
access-list outside_access permit tcp 220.127.116.11 255.255.255.0 host 18.104.22.168 eq 80
Hopefully this clears up your routing question. Just remember your DMZ devices are NAT'ed to a public address space and that's how people can get to them. When someone knocks on the PIX's door and asks how to get to 22.214.171.124, the PIX says I know how to, then performs the translation and sends it to the DMZ server.
HTH and please rate.