02-27-2007 06:54 AM - edited 03-11-2019 02:38 AM
Hi, I have T1 with a class C that is subnetted into two for Outside
and DMZ network with Inside using private IP address. My question is
how do I configure the DMZ to use the public address without NATing to
the Outside IP address. All the config sample I found uses Outside
public IP address NATed to the DMZ private network? i.e., DMZ with web
server using IP address from Outside network.
http://www.cisco.com/warp/public/110/mailserver.html
I am looking for sample configuration that uses public IP on the
Outside, public IP on DMZ and Private IP on the Inside.
TIA,
BK
02-27-2007 07:47 AM
hi this is very simple.
first of all i am sure that ur security level for dmz will be higher as compared to outside interface.
as u are using public ip;s in the dmz segment.
if u are talking abt traffic initiated from the dmz to the outside without natting to the outside ip cause dmz is already using public ip;s.
if u are using code 7.0 and above. by default no nat-control is enabled. it means natting is not mandatory for traffic from a higher security level interface to a lower one. like in ur case from dmz to outside.
u can check whether nat-control is disabled or not with the command.
sh run nat-control.
if nat-control is disabled then it should solve ur problem.
if nat-control is enabled then natting is required from higher to lower security level interface.
in this case either u can disable nat-control with the no nat-control command on the global config mode.
or u can do a nat 0 that is nat exemption for traffic from dmz to outside. which means it will not translate traffic going from dmz to outside.
eg: ur dmz subnet is 1.1.1.0/24 which u don;t want to be natted to the outside ip while going out.
nat (dmz) 0 1.1.1.0 255.255.255.0
this do the required job.
i hope this solves ur query.
if u have more questions do write back.
regards
sebastan
03-01-2007 11:06 PM
I am using PIX v7.1, and I tried your recommendation. I have dmz with security level 10 and inside security level 100.
I am natting from inside out but I don't want to nat from dmz to outside, is this correct?
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 205.158.25.64 255.255.255.192
With this configuration, will I be able to access any host in the dmz? TIA.
03-02-2007 03:56 AM
As per your requirements, assuming that server on DMZ is x.x.x.x (which is a public IP address). You can configure your PIX to allow traffic to this server from outside as shown below-
static (dmz,outside) x.x.x.x x.x.x.x
access-list outside_in permit tcp any host x.x.x.x 25
access-group outside_in in interface outside
Notice that we have used same IP address twice in the static command. Normally one of those IP address is the private IP address when server on DMZ is given a private IP address. This form of static command is called "self-static". You can use the same template in your scenario with your existing access-lists/groups.
Hope this helps.
Regards,
Vibhor.
03-02-2007 12:50 PM
I tried the about suggestions, but I cannot access port 25 to the host inside the DMZ. And the dmz host cannot go to the Internet or ping anything other than the DMZ interface.
access-list acl_out line 36 extended permit tcp any host 205.158.XX.XX eq smtp
static (dmz,outside) 205.158.XX.XX 205.158.XX.XX netmask 255.255.255.255
access-list acl_dmz extended permit tcp host 205.158.XX.XX any
access-group acl_dmz in interface dmz
Any other suggestions, TIA.
03-02-2007 12:57 PM
Is that your entire access-list acl_dmz? If so, that would explain why you cannot ping.
03-03-2007 10:47 PM
Here is the config for the dmz, but I cannot ping or telnet to port 25 to dmz host.
access-list acl_dmz extended permit tcp any host 205.158.XX.YY eq smtp
access-list acl_dmz extended permit icmp any any
access-group acl_dmz in interface dmz
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: