PIX 515 6.3 DMZ

Answered Question
Jan 13th, 2009
User Badges:

Hi all,


I have a PIX 515 which no one needs and I was playing a bit trying to do this:

On the inside int I have 10.20.22.1 in Vlan 5 which has a SVI 10.20.22.254 on a L3 switch which at its turn is the default gateway for PC 1.

On the PIX another interface has 192.168.1.1 in vlan 6 with no SVI so the PIX is the default gateway for PC 2.

A PC2 is in this vlan.


I need to access PC1 from PC 2 and also internet and I did not really found how I have to do the NAT in the PIX from 192.168.1.0 to 10.20.22.254.

Inside has 100 sec level and the other int is 60.


Lets say that the outside int is connected to the internet and 10.20.22.0 is NAT-ed behind a public IP.

It's a PIX 6.3


Thanks,

V


Correct Answer by Jon Marshall about 8 years 6 months ago

Vlad


Apologies, i misunderstood.


nat (dmz) 1 192.168.1.0 255.255.255.0 dmz

global (inside) 1 interface


Note that you may or may not need the "dmz" keyword at the end of the NAT statement. If one doesn't work try the other.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Jon Marshall Tue, 01/13/2009 - 06:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

V


So your pix has 3 interfaces - inside, outside and a DMZ interface ?


So for PC2 to access PC1


PC1 = 10.20.22.10

PC2 = 192.168.1.10


static (inside,dmz) 10.20.22.10 10.20.22.10 netmask 255.255.255.255


access-list dmz_in permit ip host 192.168.1.10 host 10.20.22.10


access-group dmz_in in interface dmz


For internet - assuming your outside interface has a public IP address


nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


Jon

hunnetvl01 Tue, 01/13/2009 - 06:37
User Badges:

Jon,


Thanks for this. I did not express myself good and i apologize.


I wanted to NAT the LAN in the DMZ behind an IP in Vlan 5 because the L3 switch has routes to other networks such as 10.8.6.0, 10.8.74.2

Which are very well accessible from vlan5.


Thx

vlad

Correct Answer
Jon Marshall Tue, 01/13/2009 - 06:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Vlad


Apologies, i misunderstood.


nat (dmz) 1 192.168.1.0 255.255.255.0 dmz

global (inside) 1 interface


Note that you may or may not need the "dmz" keyword at the end of the NAT statement. If one doesn't work try the other.


Jon

hunnetvl01 Tue, 01/13/2009 - 06:59
User Badges:

I found this in an old document but I am not sure what exactly it does.

It was not explained .


nat (dmz) x 192.168.1.0 255.255.255.0 outside

global (inside) x 10.20.22.11


Thanks,

Vlad

Davy Ad Fri, 01/16/2009 - 01:25
User Badges:

Good One Jon!

please I need to explain the Static nat example you wrote to one of my Colleague. Could you please help to explain "Static (inside,dmz) 10.20.22.10 10.20.22.20 netmask 255.255.255.255", why the IP address are the same or send me link on this ?


Thanks

Jon Marshall Fri, 01/16/2009 - 03:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dave


"why the IP address are the same"


It's a bit of a pix idiosyncracy. Assuming you are using NAT ie. you have not disabled nat with "no nat-control" then for traffic to be allowed from a lower to a higher security interface you need 2 things


1) a static NAT translation

2) an access-list rule allowing the traffic


So you have a host on the inside with an IP address of 10.20.22.10 and you want to access it from the DMZ. You want to be able to connect to the host on the inside using it's real IP address.


Now on other vendor firewalls i have worked with you wouldn't need a NAT rule for this because you only need a NAT rule when you to change the IP address. But because of rule 1 above you still have to set up a NAT rule even though you want to use the same address hence the reason you end up with


static (inside,DMZ) 10.20.22.10 10.20.22.10 netmask 255.255.255.255


Like i say i have only come across this on a pix/asa.


Jon

Davy Ad Fri, 01/16/2009 - 04:34
User Badges:

Thanks ,

I will give it a try on Nokia Firewall ,hope that will work as well.



DAK

f.eokezie Mon, 01/19/2009 - 12:12
User Badges:

Ade,

this Static Nat algorithm does not apply to Nokia checkpoint, only pix.

f.eokezie Mon, 01/19/2009 - 12:13
User Badges:

Ade,

this Static Nat algorithm does not apply to Nokia checkpoint, only pix.

hunnetvl01 Tue, 01/20/2009 - 04:32
User Badges:

i am glad you found this topic interesting , but now I would like to post the solution for this PIX 6.3 issue in case someone is interested.


There is no bug as we previous;y thought and no static is needed.

The only thing needed to make the DMZ access the inside is the NAT command and also the NAT 0.


So something like this:


nat (DMZ) 1 192.168.1.0 255.255.255.0 outside

Global (Inside) 1 interface


nat (inside) 0 access-list dmz_in

where dmz-in is:


access-list dmz_in permit ip inside_lan 192.168.1.0


Regards,

vlad

Davy Ad Wed, 01/21/2009 - 00:27
User Badges:

Hi John,

What of if there is nat0 ( No nat) ,How would the static Nat look like.



DAK

Actions

This Discussion