Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

515e NAT 0, Identity NAT, NAT Exemption........ Help!

Our web and ftp servers reside on our pix DMZ interface, these systems have registered ip addresses and need their real ip's available to any host (no nat). The external IP interface on our pix is a single registered ip address assigned by our data center host and is on a different subnet. How can I allow web 80, 443 and 21 traffic only, from any host on the outside, to pass through the pix and flow to the respective servers on the DMZ? I'm looking at policy nat, identity nat, nat exemption, or static commands in my Cisco Pix Handbook... help! Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: 515e NAT 0, Identity NAT, NAT Exemption........ Help!

Ok .. so lets assume that the outside subnet is x.x.x.x/24 and x.x.x.1 is the outside interface IP of PIX. The registered IP for the web and FTP servers are y.y.y.1 & y.y.y.2, which are in different subnet. You can place them on the DMZ interface and make the DMZ interface IP as the gateway for the servers. Next, configure your PIX with following commands-

static (dmz,outside) y.y.y.1 y.y.y.1

static (dmz,outside) y.y.y.2 y.y.y.2

(These type of static commands are called self-stat commands, cuz, we are not actually translating the IP addresses)

access-list outin permit tcp any host y.y.y.1 eq 80

access-list outin permit tcp any host y.y.y.1 eq 443

access-list outin permit tcp any host y.y.y.2 eq 21

access-group outin in interface outside

Once this is done, you'll need to contact your ISP and have them enter following IP routes on the gateway router of PIX-

ip route y.y.y.1 255.255.255.255 x.x.x.1

ip route y.y.y.2 255.255.255.255 x.x.x.1

Now things should work.

Hope this helps.

Regards,

Vibhor.

3 REPLIES
Silver

Re: 515e NAT 0, Identity NAT, NAT Exemption........ Help!

Ok .. so lets assume that the outside subnet is x.x.x.x/24 and x.x.x.1 is the outside interface IP of PIX. The registered IP for the web and FTP servers are y.y.y.1 & y.y.y.2, which are in different subnet. You can place them on the DMZ interface and make the DMZ interface IP as the gateway for the servers. Next, configure your PIX with following commands-

static (dmz,outside) y.y.y.1 y.y.y.1

static (dmz,outside) y.y.y.2 y.y.y.2

(These type of static commands are called self-stat commands, cuz, we are not actually translating the IP addresses)

access-list outin permit tcp any host y.y.y.1 eq 80

access-list outin permit tcp any host y.y.y.1 eq 443

access-list outin permit tcp any host y.y.y.2 eq 21

access-group outin in interface outside

Once this is done, you'll need to contact your ISP and have them enter following IP routes on the gateway router of PIX-

ip route y.y.y.1 255.255.255.255 x.x.x.1

ip route y.y.y.2 255.255.255.255 x.x.x.1

Now things should work.

Hope this helps.

Regards,

Vibhor.

New Member

Re: 515e NAT 0, Identity NAT, NAT Exemption........ Help!

Self-Stat.?? I do not see that in my handbook. It worked though! Thanks. I did try something in the meantime that didn't work but I thought should have...conduits. Can you explain whne that would be appropriate to use?

Thanks again - 5 points from me!

Silver

Re: 515e NAT 0, Identity NAT, NAT Exemption........ Help!

Thank you.

Conduits were old commands and have been replaced by ACLs which are more flexible. If you have ACLs in your configuration, conduit commands will not be effective. However, taking following ACLs out-

access-list outin permit tcp any host y.y.y.1 eq 80

access-list outin permit tcp any host y.y.y.1 eq 443

access-list outin permit tcp any host y.y.y.2 eq 21

access-group outin in interface outside

Comparable conduit commands would be-

conduit permit tcp host y.y.y.1 eq 80 any

conduit permit tcp host y.y.y.1 eq 443 any

conduit permit tcp host y.y.y.2 eq 21 any

ACLs in configuration, override conduits rendering them ineffective. I would recommend using ACLs over conduits.

Hope that helps.

Regards,

Vibhor.

115
Views
4
Helpful
3
Replies