01-25-2008 05:37 AM - edited 03-05-2019 08:42 PM
I have a PIX-515 firewall at my CoLocation datacenter to secure my network. At my main datacenter I have Sonicwall 4100. My company supports multiple clients in the building and uses the Sonicwall to keep their networks separate. Also, it too has an Internet connection. Clients when browsing web pages etc... will use this connection and servers use the PIX. This way I can keep traffic separate and better use my bandwidth. Both datacenters are connected by a private 100Mbs fiber connection and I can ping the CoLo PIX from a client computer so I know my routes are ok.
My problem is that a client has a web server that they want on the Internet, but it must stay on their local segment i.e. I cannot place it on the same VLAN as my other servers. Since it is manditory that all servers go out the CoLo PIX I run into issues. I can easily give them a public IP address on the PIX, but once the traffic hits the webserver and tries to go back out to the Internet, the Sonicwall's default gateway kicks in and the packets are never returned to the PIX. Is there a way on the PIX that I can make a rule to sort of trick the Sonciwall that the traffic is coming from my inside interface instead of the outside? This way my Sonicwall would see traffic coming from 10.20.50.1. When the traffic comes back from the webserver, the Sonicwall knows that it is not a public IP and can route the packet back to the PIX. The Sonicwall internal routing works properly as I can get to every subnet without issues on my network.
01-25-2008 06:20 AM
Hi
If i understand correctly you want to NAT all the incoming source IP addresses from the internet to the inside interface of the pix ?
If so
Public server IP address = 195.174.10.1
access-list NATIN permit tcp any host 195.174.10.1 eq www
nat (outside) 1 access-list NATIN outside
global (inside) 1 interface
You may need to change the nat and global id's ie. 1 in the above example depending on what you already have on your pix.
HTH
Jon
01-25-2008 07:33 AM
When you refer to all incoming IPs...are you talking about only the public IP I am using for my webserver?
01-25-2008 07:54 AM
No, i mean the source IP addresses which will be source IP addresses of users on the Internet.
The config i have you NAT's all source IP addresses to the pix internal interface so the web servers thinks the packet has been sent by the pix internal interface.
Is this not what you wanted ?
Jon
01-25-2008 08:57 AM
Maybe I just worded my last reply wrong...
So what you are saying...
Public server IP address = 195.174.10.1
* This would be my webserver correct?
access-list NATIN permit tcp any host 195.174.10.1 eq www
* This is the ACL that allows any host on the web to connect to the web server
nat (outside) 1 access-list NATIN outside
* This says to NAT everything in this access list
global (inside) 1 interface
* This applies it to the interface
Am I correct with the above statements?
01-25-2008 09:07 AM
Public server IP address = 195.174.10.1
* This would be my webserver correct?
Yes correct.
access-list NATIN permit tcp any host 195.174.10.1 eq www
* This is the ACL that allows any host on the web to connect to the web server
Not quite - this acl is not used to allow traffic, it used to tell the pix which traffic to NAT. You would also need to add a line into yor existing acl that allows traffic to this webserver.
nat (outside) 1 access-list NATIN outside
* This says to NAT everything in this access list
Yes
global (inside) 1 interface
* This applies it to the interface
Not quite. Because the id ie. 1 is the same this ties the global statment to the nat statement. So the nat statement tells the pix what to nat, the global statement tells it what to nat to. In this case the IP address of the pix inside interface. If you wanted to use a different IP address
global (inside) 1 "ip address".
So a user on the Internet opens their browser and types in http://195.174.10.1. The users pc address is 212.10.12.1
When the packet gets to the pix
source IP = 212.10.12.1
destination IP = 195.174.10.1
The pix changes the 195.174.10.1 to the private address, whatever you have eg.
static (inside,outside) 195.174.10.1 192.168.5.2 netmask 255.255.255.255
It then changes the source IP address to whatever the inside interface address of the pix is - in this example 192.168.4.1
So now the pix is through the pix onto your network
source = 192.168.4.1
destination = 192.168.5.2
Is this what you want to happen ?
Jon
01-25-2008 09:15 AM
Because the id ie. 1 is the same this ties the global statment to the nat statement...Since I am already using 1 for
global (outside) 1 20.25.13.9 netmask 255.255.255.255
It is ok for this case to use a different number correct such as 2 or 3...just so the statements are linked by the number.
And yes based on your last comment this is exactly what I am looking for
01-25-2008 09:17 AM
Yes, use a different id. As long as it is the same number for the relevant nat and global statements.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: