cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
660
Views
8
Helpful
13
Replies

PIX 515 6.3 DMZ

hunnetvl01
Level 1
Level 1

Hi all,

I have a PIX 515 which no one needs and I was playing a bit trying to do this:

On the inside int I have 10.20.22.1 in Vlan 5 which has a SVI 10.20.22.254 on a L3 switch which at its turn is the default gateway for PC 1.

On the PIX another interface has 192.168.1.1 in vlan 6 with no SVI so the PIX is the default gateway for PC 2.

A PC2 is in this vlan.

I need to access PC1 from PC 2 and also internet and I did not really found how I have to do the NAT in the PIX from 192.168.1.0 to 10.20.22.254.

Inside has 100 sec level and the other int is 60.

Lets say that the outside int is connected to the internet and 10.20.22.0 is NAT-ed behind a public IP.

It's a PIX 6.3

Thanks,

V

1 Accepted Solution

Accepted Solutions

Vlad

Apologies, i misunderstood.

nat (dmz) 1 192.168.1.0 255.255.255.0 dmz

global (inside) 1 interface

Note that you may or may not need the "dmz" keyword at the end of the NAT statement. If one doesn't work try the other.

Jon

View solution in original post

13 Replies 13

Jon Marshall
Hall of Fame
Hall of Fame

V

So your pix has 3 interfaces - inside, outside and a DMZ interface ?

So for PC2 to access PC1

PC1 = 10.20.22.10

PC2 = 192.168.1.10

static (inside,dmz) 10.20.22.10 10.20.22.10 netmask 255.255.255.255

access-list dmz_in permit ip host 192.168.1.10 host 10.20.22.10

access-group dmz_in in interface dmz

For internet - assuming your outside interface has a public IP address

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Jon

Jon,

Thanks for this. I did not express myself good and i apologize.

I wanted to NAT the LAN in the DMZ behind an IP in Vlan 5 because the L3 switch has routes to other networks such as 10.8.6.0, 10.8.74.2

Which are very well accessible from vlan5.

Thx

vlad

Vlad

Apologies, i misunderstood.

nat (dmz) 1 192.168.1.0 255.255.255.0 dmz

global (inside) 1 interface

Note that you may or may not need the "dmz" keyword at the end of the NAT statement. If one doesn't work try the other.

Jon

we posted in the same time! :)

Thanks a lot

Vlad

I found this in an old document but I am not sure what exactly it does.

It was not explained .

nat (dmz) x 192.168.1.0 255.255.255.0 outside

global (inside) x 10.20.22.11

Thanks,

Vlad

Good One Jon!

please I need to explain the Static nat example you wrote to one of my Colleague. Could you please help to explain "Static (inside,dmz) 10.20.22.10 10.20.22.20 netmask 255.255.255.255", why the IP address are the same or send me link on this ?

Thanks

Dave

"why the IP address are the same"

It's a bit of a pix idiosyncracy. Assuming you are using NAT ie. you have not disabled nat with "no nat-control" then for traffic to be allowed from a lower to a higher security interface you need 2 things

1) a static NAT translation

2) an access-list rule allowing the traffic

So you have a host on the inside with an IP address of 10.20.22.10 and you want to access it from the DMZ. You want to be able to connect to the host on the inside using it's real IP address.

Now on other vendor firewalls i have worked with you wouldn't need a NAT rule for this because you only need a NAT rule when you to change the IP address. But because of rule 1 above you still have to set up a NAT rule even though you want to use the same address hence the reason you end up with

static (inside,DMZ) 10.20.22.10 10.20.22.10 netmask 255.255.255.255

Like i say i have only come across this on a pix/asa.

Jon

Thanks ,

I will give it a try on Nokia Firewall ,hope that will work as well.

DAK

Ade,

this Static Nat algorithm does not apply to Nokia checkpoint, only pix.

Ade,

this Static Nat algorithm does not apply to Nokia checkpoint, only pix.

Thanks FRANCIS ,

You are right!

i am glad you found this topic interesting , but now I would like to post the solution for this PIX 6.3 issue in case someone is interested.

There is no bug as we previous;y thought and no static is needed.

The only thing needed to make the DMZ access the inside is the NAT command and also the NAT 0.

So something like this:

nat (DMZ) 1 192.168.1.0 255.255.255.0 outside

Global (Inside) 1 interface

nat (inside) 0 access-list dmz_in

where dmz-in is:

access-list dmz_in permit ip inside_lan 192.168.1.0

Regards,

vlad

Hi John,

What of if there is nat0 ( No nat) ,How would the static Nat look like.

DAK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: