×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

natting on DMZ & inside interface

Unanswered Question
Sep 10th, 2003
User Badges:

I have a router connecting to internet using ISDN and PIX with Dmz on behind.

My router will do the natting,my concern is do I need to configure any

nat command on PIX inorder to allow dmz and inside users able to access internet beside the nat

command for inside users to access dmz server.All my 3 interfaces is using private IP addres

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
tvanginneken Wed, 09/10/2003 - 05:13
User Badges:
  • Silver, 250 points or more

If the pix does not have to do any kind of natting, then you should use the 'nat 0' command:


'nat (inside) 0 access-list xxx'

'nat (dmz) 0 access-list yyy'


The addresses that match the access-list will not be natted.


Kind Regards,

Tom

ddicky Wed, 09/10/2003 - 17:32
User Badges:

Hi Tom,thks for response.

How should the access-list?


On the PIX,I've the following:


> ip address inside 10.1.1.1 255.255.255.0

> ip address outside 192.168.1.1 255.255.255.0

>ip address dmz 10.1.2.1.0 255.255.255.0

> static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

> route outside 0.0.0.0 0.0.0.0 192.168.1.2


On the router ,I have something like:


> ip route 0.0.0.0 0.0.0.0 dialer1

> ip route 10.0.0.0 255.0.0.0 192.168.1.1

> int fastethernet0

> ip address 192.168.1.2 255.255.255.0

> ip nat inside

> int dialer1

> ip address dhcp

> ip nat outside

> ip nat inside source list 1 interface dialer1 overload

> access-list 1 permit any


gfullage Wed, 09/10/2003 - 20:25
User Badges:
  • Cisco Employee,

The static you have defined will do the trick for you. You would also want:


static (dmz,outside) 10.1.2.0 10.1.2.0 netmask 255.255.255.0


Personally though, I would do this a little different. By using static's you're still running each packet through the whole NAT process within the PIX, you're just NAT'ing it to the same address. You're better off simply not NAT'ing this traffic at all, puts less load on the PIX. Instead of the static's do the following:


nat (inside) 0 10.1.1.0 255.255.255.0

nat (dmz) 0 10.1.2.0 255.255.255.0


The "nat 0" says don't NAT this traffic specifically. It'll just be passed through the PIX and onto the router which will do the NAT'ing for you.



Actions

This Discussion