Need assistance with NAT and DMZ

Unanswered Question
Dec 8th, 2009

I am needing some assistance regarding a firewall.  I am going to try and explain it below to see if someone can help my poor brain out.

inside      10.10.x.x

outside     20.20.x.x

dmz         30.30.x.x.

This is how my global/nats are set up.  

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 1 10.10.x.x   255.255.x.x tcp

This leads to my question.   The way that it stands now, an inside address of 10.10.x.x can access not only the dmz but also the outside since it has a translation.   We have some servers on the inside network that we want to access the dmz, but DONT want to be able to access the internet.   How do we go about this?  We've tried the following:

global (outside) 1 interface

global (dmz) 2 interface

nat (inside) 1 10.10.x.x   255.255.x.x tcp

nat (inside) 2 10.10.x.x   255.255.x.x tcp (however when i enter this command, its telling me that there is a duplicate subnet)   

I guess i'm just not too sure as to how to go about this.   I was under the assumption that the nat id's had to match up but it looks like I may be mistaken.  For instance, I thought that if my inside of 10.10.x.x was going to the dmz, he would use global dmz 2 and the ip address of the interface.  If that same network were to go out the outside, he would use the global outside 1 and the ip of the outside interface.   Apparently I must be way off here....can someone please enlighten me here.   I would greatly appreciate any help. 

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 12/08/2009 - 13:25

jonesl1 wrote:

I am needing some assistance regarding a firewall.  I am going to try and explain it below to see if someone can help my poor brain out.

inside      10.10.x.x

outside     20.20.x.x

dmz         30.30.x.x.

This is how my global/nats are set up.  

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 1 10.10.x.x   255.255.x.x tcp

This leads to my question.   The way that it stands now, an inside address of 10.10.x.x can access not only the dmz but also the outside since it has a translation.   We have some servers on the inside network that we want to access the dmz, but DONT want to be able to access the internet.   How do we go about this?  We've tried the following:

global (outside) 1 interface

global (dmz) 2 interface

nat (inside) 1 10.10.x.x   255.255.x.x tcp

nat (inside) 2 10.10.x.x   255.255.x.x tcp (however when i enter this command, its telling me that there is a duplicate subnet)   

I guess i'm just not too sure as to how to go about this.   I was under the assumption that the nat id's had to match up but it looks like I may be mistaken.  For instance, I thought that if my inside of 10.10.x.x was going to the dmz, he would use global dmz 2 and the ip address of the interface.  If that same network were to go out the outside, he would use the global outside 1 and the ip of the outside interface.   Apparently I must be way off here....can someone please enlighten me here.   I would greatly appreciate any help.

The natid's do have to match up but your first set of statements were correct. The problem with your second lot of statements is that you are trying to assign the same subnet to 2 different nat ids.

The solution is either to

1) use acls for NAT ie.

   one acl for all inside devices allowed to talk to the Internet ie. all 10.10.x.x addresses excluding the servers

   one acl for the servers

2) use an acl on the inside interface which is actually the better way to do things. Leave your NAT statements as they are and control traffic flow with interface access-lists. You shouldn't try and use NAT to control traffic flow.

Jon

Actions

This Discussion