NATing from outside in

Answered Question
Feb 1st, 2007

Hi guys,

Hopefully you can help me here and put me straight, I've spent the last two days trawling through documentation to find an answer.

OK the setup - 1 PIX 525, 3 interfaces - outside, inside & dmz.

I want 10 internet users (outside) to access a server on the dmz (private addressing for the DMZ), this is then proxied and a new session from the dmz to a server on the inside.

(btw, should mention we currently have NAT configured for inside users accessing the internet:

nat (inside) 10 2.0.0.0 255.0.0.0

global (ouside) 10 interface

For internet users accessing the dmz server should i be using a static nat statement for each user:

static (dmz,outside) <internet address> 192.168.4.4 netmask 255.255.255.255

Or is there another config I can use for destination NAT? Also, how do internet users route to this? do they route to the outside interface of the PIX and it picks up the static NAT?

I have seen reference to the NAT 'outside' but not sure if this is what I want and if it will effect my other NAT statements.

And the same principle would apply again for DMZ --> inside servers using static.

I have not test lab to try this out on so don't want to bring down the entire internet connection.

Thanks guys.

I have this problem too.
0 votes
Correct Answer by Collin Clark about 9 years 8 months ago

A one-to-one NAT translates a public IP address to a private IP address, all ports both TCP and UDP. The ACL is used to determine who can access that resource. The NAT statement is not for a particular user, it applies to all who can access it. An example might help explain.

I have a public IP address space of 1.1.1.0 /24. My PIX outside address is 1.1.1.1. I have a web server in the DMZ, its IP address is 192.168.1.10. If I want external users to access my web server I must first create a NAT translation.

static (dmz,outside) 1.1.1.2 192.168.1.10 netmask 255.255.255.255

Here I chose an IP address from my public address space to assign to the web server. Anyone trying to access the address of 1.1.1.2, the firewall translates it to 192.168.1.10. So what if I don't have any or few addresses? You can do port translations.

static (dmz,outside)tcp 1.1.1.1 80 192.168.1.10 80 netmask 255.255.255.255

Notice the IP is the same as the PIX's interface. You can also do this for any IP in your public address space. Even though we didnt change the ports, its still a port translation. You could also change the port.

static (dmz,outside)tcp 1.1.1.1 8080 192.168.1.10 80 netmask 255.255.255.255

In this example the outside user would have to enter http:/1.1.1.1:8080 and the firewall would translate it back to port 80 to the DMZ server.

Now for the ACL. This allows everyone to the webserver, but only on port 80.

access-list outside_access permit tcp any host 1.1.1.2 eq 80

But we only want our a business partner to see the website, so we tweak the ACL.

access-list outside_access permit tcp 2.2.2.0 255.255.255.0 host 1.1.1.2 eq 80

Hopefully this clears up your routing question. Just remember your DMZ devices are NAT'ed to a public address space and that's how people can get to them. When someone knocks on the PIX's door and asks how to get to 1.1.1.2, the PIX says I know how to, then performs the translation and sends it to the DMZ server.

HTH and please rate.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.8 (3 ratings)
Loading.
Collin Clark Thu, 02/01/2007 - 12:35

For outside users to access the DMZ server, you need one static NAT, like your example. That creates the connectivity from the outside to the DMZ. If you need to restrict who can access the resource, use an ACL.

Going from the DMZ to the inside you could use NAT, but it's easier to route and again use the ACL to restrict access. I am confused on part of your post,

"this is then proxied and a new session from the dmz to a server on the inside."

Is the DMZ server a reverse proxy? Does it get info on the inside to present the outside user? Is it redirecting the user to an inside server?

HTH and please rate.

carl.forbes Thu, 02/01/2007 - 13:55

Thanks for the reply.

The proxy is an application proxy.

For the connection to the DMZ, using an ACL for restriction will only additionally give me port filtering? as i will need a static NAT statement for each user?

Do I address the dmz server to that of the PIX outside interface to ensure it's internet routable? I can't understand how the packet routes there??? - apologies how basic the question is.

Thanks, a confused WAN engineer. LANs are a totally different kettle of fish!

Correct Answer
Collin Clark Thu, 02/01/2007 - 14:20

A one-to-one NAT translates a public IP address to a private IP address, all ports both TCP and UDP. The ACL is used to determine who can access that resource. The NAT statement is not for a particular user, it applies to all who can access it. An example might help explain.

I have a public IP address space of 1.1.1.0 /24. My PIX outside address is 1.1.1.1. I have a web server in the DMZ, its IP address is 192.168.1.10. If I want external users to access my web server I must first create a NAT translation.

static (dmz,outside) 1.1.1.2 192.168.1.10 netmask 255.255.255.255

Here I chose an IP address from my public address space to assign to the web server. Anyone trying to access the address of 1.1.1.2, the firewall translates it to 192.168.1.10. So what if I don't have any or few addresses? You can do port translations.

static (dmz,outside)tcp 1.1.1.1 80 192.168.1.10 80 netmask 255.255.255.255

Notice the IP is the same as the PIX's interface. You can also do this for any IP in your public address space. Even though we didnt change the ports, its still a port translation. You could also change the port.

static (dmz,outside)tcp 1.1.1.1 8080 192.168.1.10 80 netmask 255.255.255.255

In this example the outside user would have to enter http:/1.1.1.1:8080 and the firewall would translate it back to port 80 to the DMZ server.

Now for the ACL. This allows everyone to the webserver, but only on port 80.

access-list outside_access permit tcp any host 1.1.1.2 eq 80

But we only want our a business partner to see the website, so we tweak the ACL.

access-list outside_access permit tcp 2.2.2.0 255.255.255.0 host 1.1.1.2 eq 80

Hopefully this clears up your routing question. Just remember your DMZ devices are NAT'ed to a public address space and that's how people can get to them. When someone knocks on the PIX's door and asks how to get to 1.1.1.2, the PIX says I know how to, then performs the translation and sends it to the DMZ server.

HTH and please rate.

Actions

This Discussion