Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
288
Views
4
Helpful
3
Replies

natting on DMZ & inside interface

ddicky
Level 1
Level 1

‎09-10-2003 04:46 AM - edited ‎03-09-2019 04:43 AM

I have a router connecting to internet using ISDN and PIX with Dmz on behind.

My router will do the natting,my concern is do I need to configure any

nat command on PIX inorder to allow dmz and inside users able to access internet beside the nat

command for inside users to access dmz server.All my 3 interfaces is using private IP addres

Labels:
0 Helpful
3 Replies 3

tvanginneken
Level 4
Level 4

‎09-10-2003 05:13 AM

If the pix does not have to do any kind of natting, then you should use the 'nat 0' command:

'nat (inside) 0 access-list xxx'

'nat (dmz) 0 access-list yyy'

The addresses that match the access-list will not be natted.

Kind Regards,

Tom

ddicky
Level 1
Level 1
In response to tvanginneken

‎09-10-2003 05:32 PM

Hi Tom,thks for response.

How should the access-list?

On the PIX,I've the following:

> ip address inside 10.1.1.1 255.255.255.0

> ip address outside 192.168.1.1 255.255.255.0

>ip address dmz 10.1.2.1.0 255.255.255.0

> static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

> route outside 0.0.0.0 0.0.0.0 192.168.1.2

On the router ,I have something like:

> ip route 0.0.0.0 0.0.0.0 dialer1

> ip route 10.0.0.0 255.0.0.0 192.168.1.1

> int fastethernet0

> ip address 192.168.1.2 255.255.255.0

> ip nat inside

> int dialer1

> ip address dhcp

> ip nat outside

> ip nat inside source list 1 interface dialer1 overload

> access-list 1 permit any

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to ddicky

‎09-10-2003 08:25 PM

The static you have defined will do the trick for you. You would also want:

static (dmz,outside) 10.1.2.0 10.1.2.0 netmask 255.255.255.0

Personally though, I would do this a little different. By using static's you're still running each packet through the whole NAT process within the PIX, you're just NAT'ing it to the same address. You're better off simply not NAT'ing this traffic at all, puts less load on the PIX. Instead of the static's do the following:

nat (inside) 0 10.1.1.0 255.255.255.0

nat (dmz) 0 10.1.2.0 255.255.255.0

The "nat 0" says don't NAT this traffic specifically. It'll just be passed through the PIX and onto the router which will do the NAT'ing for you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents