Solved: Re: 515e NAT 0, Identity NAT, NAT Exemption........ Help!

shanemonson · ‎05-17-2007

Our web and ftp servers reside on our pix DMZ interface, these systems have registered ip addresses and need their real ip's available to any host (no nat). The external IP interface on our pix is a single registered ip address assigned by our data center host and is on a different subnet. How can I allow web 80, 443 and 21 traffic only, from any host on the outside, to pass through the pix and flow to the respective servers on the DMZ? I'm looking at policy nat, identity nat, nat exemption, or static commands in my Cisco Pix Handbook... help! Thanks in advance

vitripat · ‎05-17-2007

Ok .. so lets assume that the outside subnet is x.x.x.x/24 and x.x.x.1 is the outside interface IP of PIX. The registered IP for the web and FTP servers are y.y.y.1 & y.y.y.2, which are in different subnet. You can place them on the DMZ interface and make the DMZ interface IP as the gateway for the servers. Next, configure your PIX with following commands-

static (dmz,outside) y.y.y.1 y.y.y.1

static (dmz,outside) y.y.y.2 y.y.y.2

(These type of static commands are called self-stat commands, cuz, we are not actually translating the IP addresses)

access-list outin permit tcp any host y.y.y.1 eq 80

access-list outin permit tcp any host y.y.y.1 eq 443

access-list outin permit tcp any host y.y.y.2 eq 21

access-group outin in interface outside

Once this is done, you'll need to contact your ISP and have them enter following IP routes on the gateway router of PIX-

ip route y.y.y.1 255.255.255.255 x.x.x.1

ip route y.y.y.2 255.255.255.255 x.x.x.1

Now things should work.

Hope this helps.

Regards,

Vibhor.

View solution in original post

vitripat · ‎05-17-2007

Ok .. so lets assume that the outside subnet is x.x.x.x/24 and x.x.x.1 is the outside interface IP of PIX. The registered IP for the web and FTP servers are y.y.y.1 & y.y.y.2, which are in different subnet. You can place them on the DMZ interface and make the DMZ interface IP as the gateway for the servers. Next, configure your PIX with following commands-

static (dmz,outside) y.y.y.1 y.y.y.1

static (dmz,outside) y.y.y.2 y.y.y.2

(These type of static commands are called self-stat commands, cuz, we are not actually translating the IP addresses)

access-list outin permit tcp any host y.y.y.1 eq 80

access-list outin permit tcp any host y.y.y.1 eq 443

access-list outin permit tcp any host y.y.y.2 eq 21

access-group outin in interface outside

Once this is done, you'll need to contact your ISP and have them enter following IP routes on the gateway router of PIX-

ip route y.y.y.1 255.255.255.255 x.x.x.1

ip route y.y.y.2 255.255.255.255 x.x.x.1

Now things should work.

Hope this helps.

Regards,

Vibhor.

shanemonson · ‎05-18-2007

Self-Stat.?? I do not see that in my handbook. It worked though! Thanks. I did try something in the meantime that didn't work but I thought should have...conduits. Can you explain whne that would be appropriate to use?

Thanks again - 5 points from me!

vitripat · ‎05-18-2007

Thank you.

Conduits were old commands and have been replaced by ACLs which are more flexible. If you have ACLs in your configuration, conduit commands will not be effective. However, taking following ACLs out-

access-list outin permit tcp any host y.y.y.1 eq 80

access-list outin permit tcp any host y.y.y.1 eq 443

access-list outin permit tcp any host y.y.y.2 eq 21

access-group outin in interface outside

Comparable conduit commands would be-

conduit permit tcp host y.y.y.1 eq 80 any

conduit permit tcp host y.y.y.1 eq 443 any

conduit permit tcp host y.y.y.2 eq 21 any

ACLs in configuration, override conduits rendering them ineffective. I would recommend using ACLs over conduits.

Hope that helps.

Regards,

Vibhor.