PIX Firewall NAT statement whe using multiple firewalls

Unanswered Question

I have a PIX-515 firewall at my CoLocation datacenter to secure my network. At my main datacenter I have Sonicwall 4100. My company supports multiple clients in the building and uses the Sonicwall to keep their networks separate. Also, it too has an Internet connection. Clients when browsing web pages etc... will use this connection and servers use the PIX. This way I can keep traffic separate and better use my bandwidth. Both datacenters are connected by a private 100Mbs fiber connection and I can ping the CoLo PIX from a client computer so I know my routes are ok.

My problem is that a client has a web server that they want on the Internet, but it must stay on their local segment i.e. I cannot place it on the same VLAN as my other servers. Since it is manditory that all servers go out the CoLo PIX I run into issues. I can easily give them a public IP address on the PIX, but once the traffic hits the webserver and tries to go back out to the Internet, the Sonicwall's default gateway kicks in and the packets are never returned to the PIX. Is there a way on the PIX that I can make a rule to sort of trick the Sonciwall that the traffic is coming from my inside interface instead of the outside? This way my Sonicwall would see traffic coming from 10.20.50.1. When the traffic comes back from the webserver, the Sonicwall knows that it is not a public IP and can route the packet back to the PIX. The Sonicwall internal routing works properly as I can get to every subnet without issues on my network.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 01/25/2008 - 06:20

Hi

If i understand correctly you want to NAT all the incoming source IP addresses from the internet to the inside interface of the pix ?

If so

Public server IP address = 195.174.10.1

access-list NATIN permit tcp any host 195.174.10.1 eq www

nat (outside) 1 access-list NATIN outside

global (inside) 1 interface

You may need to change the nat and global id's ie. 1 in the above example depending on what you already have on your pix.

HTH

Jon

Jon Marshall Fri, 01/25/2008 - 07:54

No, i mean the source IP addresses which will be source IP addresses of users on the Internet.

The config i have you NAT's all source IP addresses to the pix internal interface so the web servers thinks the packet has been sent by the pix internal interface.

Is this not what you wanted ?

Jon

Maybe I just worded my last reply wrong...

So what you are saying...

Public server IP address = 195.174.10.1

* This would be my webserver correct?

access-list NATIN permit tcp any host 195.174.10.1 eq www

* This is the ACL that allows any host on the web to connect to the web server

nat (outside) 1 access-list NATIN outside

* This says to NAT everything in this access list

global (inside) 1 interface

* This applies it to the interface

Am I correct with the above statements?

Jon Marshall Fri, 01/25/2008 - 09:07

Public server IP address = 195.174.10.1

* This would be my webserver correct?

Yes correct.

access-list NATIN permit tcp any host 195.174.10.1 eq www

* This is the ACL that allows any host on the web to connect to the web server

Not quite - this acl is not used to allow traffic, it used to tell the pix which traffic to NAT. You would also need to add a line into yor existing acl that allows traffic to this webserver.

nat (outside) 1 access-list NATIN outside

* This says to NAT everything in this access list

Yes

global (inside) 1 interface

* This applies it to the interface

Not quite. Because the id ie. 1 is the same this ties the global statment to the nat statement. So the nat statement tells the pix what to nat, the global statement tells it what to nat to. In this case the IP address of the pix inside interface. If you wanted to use a different IP address

global (inside) 1 "ip address".

So a user on the Internet opens their browser and types in http://195.174.10.1. The users pc address is 212.10.12.1

When the packet gets to the pix

source IP = 212.10.12.1

destination IP = 195.174.10.1

The pix changes the 195.174.10.1 to the private address, whatever you have eg.

static (inside,outside) 195.174.10.1 192.168.5.2 netmask 255.255.255.255

It then changes the source IP address to whatever the inside interface address of the pix is - in this example 192.168.4.1

So now the pix is through the pix onto your network

source = 192.168.4.1

destination = 192.168.5.2

Is this what you want to happen ?

Jon

Because the id ie. 1 is the same this ties the global statment to the nat statement...Since I am already using 1 for

global (outside) 1 20.25.13.9 netmask 255.255.255.255

It is ok for this case to use a different number correct such as 2 or 3...just so the statements are linked by the number.

And yes based on your last comment this is exactly what I am looking for

Jon Marshall Fri, 01/25/2008 - 09:17

Yes, use a different id. As long as it is the same number for the relevant nat and global statements.

Jon

Actions

This Discussion