10-28-2009 10:16 AM - edited 03-11-2019 09:33 AM
Hi,
A company is switching the ISP so PIX515E IP needs to be changed. I found that the DMZ interface is using a public IP and a web sever is using a puplic IP as well. Please see the configuration below:
...
name 206.x.x.211 DMZ-WEB
...
interface ethernet0
nameif outside
security-level 0
ip address 206.x.x.194 255.255.255.240
ospf cost 10
...
Interfase Ethernet 2
speed 100
nameif DMZ
security-level 4
ip address 206.x.x.209 255.255.255.240
ospf cost 10
...
static (DMZ, outside) DMZ-WEB DMZ-WEB netmask 255.255.255.255
...
I found the web server is using IP 206.x.x.211 as its IP.
My question is:
1. Is this a normal configuration?
2. NAT translates its self, is it a good idea?
Thanks,
10-28-2009 11:53 AM
You see this often. I personally prefer to use a private address space, but using the public is OK. The ACL is more important than the NAT.
10-28-2009 12:13 PM
Even though it is not very common it is not wrong.
Usually people use local ip addresses in their dmz and translate them to global ones when going to the outside. That is usually because they don't have enough global ip addresses for their inside.
In your case, as long as you have the ips available I don't see a reason why you should not do identity nat and use the global ip addresses on the inside.
I hope it helps.
PK
10-28-2009 05:54 PM
Thank you for the help.
The current configuration is using two blocks of /28 IP, one for outside, one for the DMZ and one web server.
We'll switch to a new ISP and only one block of global IP can be used. So we'll use a private IP for the DMZ interface and will modify the "static" and "name" statement to do a real NAT. Is there any other command line need to be changed as well?
Thanks!
RQ
10-28-2009 06:33 PM
hi,
You would need also to change your outside ACL to authorize incoming traffic on related servers ports to new NAT(s) global IP address(es).
Regards
10-29-2009 06:05 AM
Thanks!
You're right. But I found that there're some ACLs like:
access-list outside_access_in extended permit tcp any host DMZ-WEB eq www
because the host is using a defind name "DMZ_WEB" so after name definition changed this ACL I don't hae to change it, right?
I may need to add some lines to permit inside users to access the web site or server. right?
The current configuration was done by ASDM, some places are hard to read. If I change it using CLI, can the change be seen in the ASDM screen?
I'm not a expert of PIX, so please advice!
I really appreciate it
RQ
10-29-2009 08:51 AM
One more question:
access-list outside_access_in extened...
and
access-list acl_out extened...
should be same?
PIX OS 8.0 has a lot of changes.
Thanks,
RQ
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: