Regarding implementing Nat 0 in PIX

Unanswered Question
Dec 16th, 2008
User Badges:

Dear Team,


Can you please answer to following query:-


Regarding Nat 0:- it is saying that when no traslation is required we use nat 0--For example if we are accessing some server (connected to DMZ) from outside and the DMZ server has public address,then we need nat 0--why?

If someone from outside want to access DMZ server(public address),the request should come on the outside interface of the PIX firewall and since DMZ Server is connected to another interface of firewall(DMZ interface),the PIX firewall should automatically forward the request to the DMZ interface(or the DMZ server)--If nat 0 is required in this case then it means even the nat 0 will be required when we are accessing from one machine(connected to one interface of PIX) to another machine connected to second interface of PIX....


I donot think nat 0 is required in case of checkpoint in the same scenario.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Wed, 12/17/2008 - 07:09
User Badges:
  • Purple, 4500 points or more

Generally, your DMZ will have a private address. You will use nat 0 in the case of say VPN tunnels, where you don't want private addresses translated between themselves. The translation will happen from outside to dmz, if dmz devices are privately addressed, but you wouldn't want your INSIDE addresses natted to the dmz.


HTH,


John

palsukh2002 Wed, 12/17/2008 - 16:13
User Badges:

what you are talking abt is normal NAT where someone accesses DMZ(on Private network) from outside.Please consider the following case:-


I have all the DMZ machines with Public address then to access DMZ machines from outside whether nat 0 is required.Sameway when we are accessing the same DMZ machines from internal network(private addresses),whether nat 0 is required..Why nat 0 is required in above cases because:-


1.When we are accessing the DMZ network from outside once the packet hits the outside interface of firewall,it will automatically go to DMZ server(if the Firewall policy permits) since the DMZ server is connected to the DMZ interface of Firewall and firewall can reach the DMZ server without any nat 0


2. Same way when internal network(private address) accesses same DMZ server then once the packet hits the internal interface the firewall will forward the packet to DMZ server(since DMZ server is connected to the firewall) as firewall is intelligent and knows how to forward the packet to the server connected to another interface of Firewall.


I believe in Checkpoin also we will only make sure abt the routing so that the packet hits the Firewall internal /external interface--afterwards the firewall will take care of routing the traffic to between its connected interfaces..


Please note that here the DMZ server is in the same network as the IP address of the Firewall DMZ interface.

Actions

This Discussion