communication - DMZ to Inside

Unanswered Question
Jan 29th, 2010

Hey..

It seems I should know this, but I seem to be defeated.

I have a box with a DMZ address.  It is attached to a switchport that is in the DMZ vlan.

I have another box with an inside address, attached to a switchport that is in the correct inside vlan.

(Functionally, they are exchange servers, DMZ is an "edge transport" server, Inside is a "hub transport" server.

The DMZ server had an inside address, the windows guy configured it, then I moved it to the DMZ.)

I'm doing this on a PIX 525, v 8.0(4).  I'm comfortable in both CLI and ASDM.

I have the following static command for the DMZ server:

static (dmz1,outside) 209.129.196.161 209.129.196.161 netmask 255.255.255.255

With just that command, the firewall log shows this:  (this is from ASDM log viewer.  column 5 (209.129.196.161) is Source IP.)

4Jan 28 201019:27:15106023209.129.196.1615834610.10.17.2753Deny udp src dmz1:209.129.196.161/58346 dst inside:10.10.17.27/53 by access-group "acl_dmz1" [0x0, 0x0]


So I add this:

access-list acl_dmz1 line 1 extended permit udp host 209.129.196.161 10.10.17.0 255.255.255.0 eq domain (hitcnt=5)

Then I get these in the firewall log:  (again from ASDM log viewer.  now Source IP is 10.10.17.27)

3Jan 28 201019:30:4030500510.10.17.2753No translation group found for udp src dmz1:209.129.196.161/58515 dst inside:10.10.17.27/53

I could NAT the 10.10.17.27 address into the DMZ, but the windows guy says he talked to a Windows tech guy who says "put the Edge server in the DMZ, put the Hub server on the inside, then configure the firewall to allow them to talk", and in his mind that means DON"T NAT, and my boss thinks he know more about everything than I do...

So, is there any way to get these 2 boxes to talk to each other that doesn't involve NAT'ing?

UPDATE:

Found another thread that said do this:

static (inside,dmz1) 10.10.17.27 10.10.17.27 netmask 255.255.255.255

I did it, and that stopped the NAT errors.  But, is it an OK thing to do?  I'm not at all sure that it's correct to associate an actual inside address directly with the DMZ, instead of (as I'm accustomed to doing) associating it to a dmz address, like this:

static (inside,dmz1) 10.10.17.27 209.129.196.27 netmask 255.255.255.255

(Not to mention, I'm still being directed to find a way to make it happen without nat'ing...)

TIA for any and all assistance.

Linnea

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sat, 01/30/2010 - 13:30

linnea.wren wrote:

Hey..

It seems I should know this, but I seem to be defeated.

I have a box with a DMZ address.  It is attached to a switchport that is in the DMZ vlan.

I have another box with an inside address, attached to a switchport that is in the correct inside vlan.

(Functionally, they are exchange servers, DMZ is an "edge transport" server, Inside is a "hub transport" server.

The DMZ server had an inside address, the windows guy configured it, then I moved it to the DMZ.)

I'm doing this on a PIX 525, v 8.0(4).  I'm comfortable in both CLI and ASDM.

I have the following static command for the DMZ server:

static (dmz1,outside) 209.129.196.161 209.129.196.161 netmask 255.255.255.255

With just that command, the firewall log shows this:  (this is from ASDM log viewer.  column 5 (209.129.196.161) is Source IP.)

4Jan 28 201019:27:15106023209.129.196.1615834610.10.17.2753Deny udp src dmz1:209.129.196.161/58346 dst inside:10.10.17.27/53 by access-group "acl_dmz1" [0x0, 0x0]


So I add this:

access-list acl_dmz1 line 1 extended permit udp host 209.129.196.161 10.10.17.0 255.255.255.0 eq domain (hitcnt=5)

Then I get these in the firewall log:  (again from ASDM log viewer.  now Source IP is 10.10.17.27)

3Jan 28 201019:30:4030500510.10.17.2753No translation group found for udp src dmz1:209.129.196.161/58515 dst inside:10.10.17.27/53

I could NAT the 10.10.17.27 address into the DMZ, but the windows guy says he talked to a Windows tech guy who says "put the Edge server in the DMZ, put the Hub server on the inside, then configure the firewall to allow them to talk", and in his mind that means DON"T NAT, and my boss thinks he know more about everything than I do...

So, is there any way to get these 2 boxes to talk to each other that doesn't involve NAT'ing?

UPDATE:

Found another thread that said do this:

static (inside,dmz1) 10.10.17.27 10.10.17.27 netmask 255.255.255.255

I did it, and that stopped the NAT errors.  But, is it an OK thing to do?  I'm not at all sure that it's correct to associate an actual inside address directly with the DMZ, instead of (as I'm accustomed to doing) associating it to a dmz address, like this:

static (inside,dmz1) 10.10.17.27 209.129.196.27 netmask 255.255.255.255

(Not to mention, I'm still being directed to find a way to make it happen without nat'ing...)

TIA for any and all assistance.

Linnea

Linnea

For traffic to go from a lower to higher security level interface you need to do 2 things

1) allow traffic in acl

2) take care of NAT. This means either create a static NAT translation, turn off NAT altogether or do a nat exemption.

1) static NAT

Your example is actually the wrong way around ie.it should be -

static (inside,dmz1) 209.129.196.27 10.10.17.27 netmask 255.255.255.255

which means present the internal address of 10.10.17.27 as 209.129.196.27 to dmz1. But if you wanted to actually present the inside address as the same address on dmz1 then static (inside,dmz1) 10.10.17.27 10.10.17.27 netmask 255.255.255.255 is absolutely fine. That is one of the ways of doing it and a very common approach.

2) turn off nat altogether with the "no nat-control" command then you don't even need the static but that may create problems depending on the rest of you config

3) set up a nat exemption ie.

   access-list natex permit ip host 10.10.17.27 host 209.129.196.27

   nat (inside) 0 access-list natex

this actually says don't do any NAT for traffic between 10.10.17.27 and 209.129.196.27

If the request was to allow the 2 servers to "talk" then any of the above will do it.

Jon

linnea.wren Mon, 02/01/2010 - 12:38

Hi Jon,

Thanks,

Couple of additional questions:

1.

This box already has "no nat-control" configured.  Yet traffic from interface dmz1 (security level 10) to int Inside (security level 100) requires a NAT statement.  Is that because (as shown below), we have a global pool configured for dmz1?

global (outside) 1 209.129.192.62 netmask 255.255.255.255
global (dmz1) 1 172.31.1.1-172.31.1.253 netmask 255.255.255.0
global (dmz1) 1 172.31.1.254 netmask 255.255.255.0

nat (inside) 1 10.0.0.0 255.0.0.0

2.

I was looking more into doing a NAT exemption, and ran across policy nat.  Eventually found that you CAN specify ports in a policy nat ACL, but you can't do that in a NAT 0 ACL...  Would that make a policy NAT a bit more secure?  Or is there some technical difference between traffic through a NAT and traffic not NAT'd that makes not NAT'd more secure if though it effects the whole IP, not just some specified ports?

TIA - Linnea

Actions

This Discussion