cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
467
Views
0
Helpful
6
Replies

PIX 515E V 8.0 (3) DMZ question

roger
Level 1
Level 1

Hi,

A company is switching the ISP so PIX515E IP needs to be changed. I found that the DMZ interface is using a public IP and a web sever is using a puplic IP as well. Please see the configuration below:

...

name 206.x.x.211 DMZ-WEB

...

interface ethernet0

nameif outside

security-level 0

ip address 206.x.x.194 255.255.255.240

ospf cost 10

...

Interfase Ethernet 2

speed 100

nameif DMZ

security-level 4

ip address 206.x.x.209 255.255.255.240

ospf cost 10

...

static (DMZ, outside) DMZ-WEB DMZ-WEB netmask 255.255.255.255

...

I found the web server is using IP 206.x.x.211 as its IP.

My question is:

1. Is this a normal configuration?

2. NAT translates its self, is it a good idea?

Thanks,

6 Replies 6

Collin Clark
VIP Alumni
VIP Alumni

You see this often. I personally prefer to use a private address space, but using the public is OK. The ACL is more important than the NAT.

Panos Kampanakis
Cisco Employee
Cisco Employee

Even though it is not very common it is not wrong.

Usually people use local ip addresses in their dmz and translate them to global ones when going to the outside. That is usually because they don't have enough global ip addresses for their inside.

In your case, as long as you have the ips available I don't see a reason why you should not do identity nat and use the global ip addresses on the inside.

I hope it helps.

PK

Thank you for the help.

The current configuration is using two blocks of /28 IP, one for outside, one for the DMZ and one web server.

We'll switch to a new ISP and only one block of global IP can be used. So we'll use a private IP for the DMZ interface and will modify the "static" and "name" statement to do a real NAT. Is there any other command line need to be changed as well?

Thanks!

RQ

hi,

You would need also to change your outside ACL to authorize incoming traffic on related servers ports to new NAT(s) global IP address(es).

Regards

Thanks!

You're right. But I found that there're some ACLs like:

access-list outside_access_in extended permit tcp any host DMZ-WEB eq www

because the host is using a defind name "DMZ_WEB" so after name definition changed this ACL I don't hae to change it, right?

I may need to add some lines to permit inside users to access the web site or server. right?

The current configuration was done by ASDM, some places are hard to read. If I change it using CLI, can the change be seen in the ASDM screen?

I'm not a expert of PIX, so please advice!

I really appreciate it

RQ

One more question:

access-list outside_access_in extened...

and

access-list acl_out extened...

should be same?

PIX OS 8.0 has a lot of changes.

Thanks,

RQ

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: