NAT DMZ question

Unanswered Question
Oct 30th, 2008

I have a question about NATing I do not fully understand.

Normally when I think of NATing an IP Address, I think in terms of the outside interface and public address subnet. If I have a server on the inside network and an available public address in my subnet, I can NAT that server to the available address. The users accessing the NATed address are routed to the outside interface and then hit the NATed address which is translated to an inside or DMZ address.

So it is as if a device not on the outside interface of the firewall is routed to hit the interface, which has a NATed address from the public subnet on it

so,

Suppose I have an inside interface:

10.10.10.1

a DMZ interface

192.168.10.1

with a server

192.168.10.10

Now, If I have a host that I want to allow access to the DMZ server, and I NAT the inside host to the DMZ:

static (inside,DMZ) 10.10.10.10 10.10.10.10 netmask 255.255.255.255

If the DMZ server initiates traffic to the inside host, it is as if both of those devices are on the same interface.

So the DMZ server 192.168.10.10 hits the NATed address 10.10.10.10, which it sees on the same interface.

Does it work like a secondary interface on a router, that anything on the 192.168.10.0 network gets automatically routed to the 10.10.10.10 host?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 10/30/2008 - 18:00

Richard

This is a quirk of Cisco firewalls and NAT. On most other firewalls you only need to NAT when you are actually changing the IP address whereas with Cisco (unless you turn off NAT) even if you want to present the same inside address to the outside you still need a NAT statement for it. I haven't seen this behaviour on any other firewalls but i don't claim to have worked on all different types of firewalls.

The DMZ server does not see 10.10.10.10 on the same interface. The DMZ server merely works out that 10.10.10.10 is on a different subnet than it is on and therefore sends it to it's default-gateway which should be the DMZ interface on the Pix. The pix then knows where to send it. But the server has no knowledge of this.

Jon

wilson_1234_2 Thu, 10/30/2008 - 19:29

Thanks jon.

I appreciate it.

Check out my update to the "office politics" post.

Actions

This Discussion