PIX 515e Static NAT/DMZ Issue

Answered Question
May 11th, 2007
User Badges:

I have a 515e, 6.3(4) with an internal interface and a DMZ. The DMZ interface is 10.0.20.1 and the outside interface is 69.xxx.yyy.188/28

I have setup a web server which is currently the only device in the DMZ. I need to make a static mapping to this box but for some reason I just can't get it to work. The web server's local address is 10.0.20.100 and the public address that I need to statically map it to is 69.xxx.yyy.187/28


Here's my config so far:


interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50


ip address outside 69.xxx.yyy.188 255.255.255.240

ip address inside 192.168.20.1 255.255.255.0

ip address dmz 10.0.20.1 255.255.255.0



access-list dmz_in permit ip any any


access-list outside_in permit ip host 69.xxx.yyy.187 any



global (outside) 1 interface

global (dmz) 1 10.0.20.110-10.0.20.120

nat (inside) 1 Inside_LAN 255.255.255.0 0 0

nat (dmz) 1 dmz 255.255.255.0 0 0

static (outside,dmz) 10.0.20.100 69.xxx.yyy.187 netmask 255.255.255.255 0 0


access-group outside_in in interface outside

access-group dmz_in in interface dmz


I have the access-lists open for troubleshooting purposes... The global (dmz) statement is temporary so that I can access the DMZ from my inside network.

Any help would be greatly appreciated.


Thanks,

Paul



Correct Answer by acomiskey about 10 years 2 weeks ago

Haha, no offense you never know who you're dealing with. There was a similar post here within the last few days. I believe it was an arp issue on the isp router. Something to consider.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
PDEdwards Fri, 05/11/2007 - 07:07
User Badges:

Paul


You need to make the static mapping from the high security to low security interface:

i.e

static (dmz,outside) 69.xx.yy.187 10.0.20.100 netmask 255.255.255.255


As you are allowing access from a low to high security interface you need an acl which should go as follows:


access-list outside_in permit ip any host 69.xx.yy/187

Above allows access from any ip to your web server.

Regds

pstebner1 Fri, 05/11/2007 - 07:20
User Badges:

Thanks for the reply-

I actually got that line wrong in my posting. I do have static (dmz,outside) and not the other way around.

I did change my access list, as you were correct with that, but it still does not work. The access-list doesn't show any hits, either.

Any other suggestions?


Thanks,

Paul

acomiskey Fri, 05/11/2007 - 07:29
User Badges:
  • Green, 3000 points or more

Post you new config.

pstebner1 Fri, 05/11/2007 - 07:37
User Badges:

Here is the newer config:


interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50


ip address outside 69.xxx.yyy.188 255.255.255.240

ip address inside 192.168.20.1 255.255.255.0

ip address dmz 10.0.20.1 255.255.255.0



access-list dmz_in permit ip any any


access-list outside_in permit ip any host 69.xxx.yyy.187



global (outside) 1 interface

global (dmz) 1 10.0.20.110-10.0.20.120

nat (inside) 1 Inside_LAN 255.255.255.0 0 0

nat (dmz) 1 dmz 255.255.255.0 0 0

static (dmz,outside) 69.xxx.yyy.187 10.0.20.100 netmask 255.255.255.255 0 0


access-group outside_in in interface outside

access-group dmz_in in interface dmz











acomiskey Fri, 05/11/2007 - 07:51
User Badges:
  • Green, 3000 points or more

Nothing wrong there, clear xlate?

pstebner1 Fri, 05/11/2007 - 07:55
User Badges:

Did it. Still no dice. That's why I'm so confused!

acomiskey Fri, 05/11/2007 - 08:26
User Badges:
  • Green, 3000 points or more

Have you tried using the interface ip instead just to see if that works.


access-list outside_in permit ip any interface outside

static (dmz,outside) interface 10.0.20.100 netmask 255.255.255.255 0 0

pstebner1 Fri, 05/11/2007 - 08:33
User Badges:

This PIX is actually in production right now, and there's no chance that I can do that, at least during business hours...


P

acomiskey Fri, 05/11/2007 - 08:51
User Badges:
  • Green, 3000 points or more

You are trying to hit 69.xxx.yyy.187 from outside the firewall right?

pstebner1 Fri, 05/11/2007 - 09:22
User Badges:

Yes. I'm not THAT much of a newbie!


When inside of the network, however, I notice that as soon as I put in the static command the server loses internet access. It works fine with PAT, but of course then it isn't accessible from the outside.

Correct Answer
acomiskey Fri, 05/11/2007 - 09:26
User Badges:
  • Green, 3000 points or more

Haha, no offense you never know who you're dealing with. There was a similar post here within the last few days. I believe it was an arp issue on the isp router. Something to consider.

Jon Marshall Fri, 05/11/2007 - 09:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


It shouldn't make a difference but you do have overlapping NAT statements ie


global (outside) 1 interface

nat (dmz) 1 dmz 255.255.255.0 0 0

static (dmz,outside) 69.xxx.yyy.187 10.0.20.100 netmask 255.255.255.255 0 0



If the web server is the only device in the DMZ could you not just remove your


nat(dmz) 1 dmz 255.255.255.0 0 0 statement.


Jon

pstebner1 Fri, 05/11/2007 - 09:59
User Badges:

Yeah, I know. I had that there because if I remove the static statement then I can get internet access on the box.

One thing that I just noticed - not sure if it makes a difference - on my internet router if I do a sh ip arp I see the arp from .187 as being incomplete.


Any thoughts?

pstebner1 Fri, 05/11/2007 - 12:19
User Badges:

Mr. Comiskey-

Thanks for all of your help. You actually pointed me in the right direction to find the answer: The other guy that had this issue fixed it by turning on proxyarp. Worked for me too.


no sysopt noproxyarp outside


There it was, all along.


Thanks, guys


Paul


Actions

This Discussion