Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Communications Through PIX with ACL and NAT

Hi Everyone,

I have a web server that resides on my DMZ that needs to communicate bi-directionally with a couple of servers on my internal LAN. I have set up the NAT and ACLs but I am still not able to get communications working. Would somebody please be able to have a quick look at the config below and the attached diagram and point me in the right direction?

Many thanks,

Dan

5 REPLIES

Re: Communications Through PIX with ACL and NAT

Based on the config, your DMZ is running on 10.1.0.0/24, while Inside is on 10.0.0.0/24.

Your ACL is only allowing DMZ's 10.1.0.27 to talk to Inside's 10.0.0.209 (via specified TCP/UDP ports).

Do the following to allow your DMZ's web server to communicate with Inside hosts using their own original/physical IP Address (NAT is not required). Apply ACL to control who can access what via any permitted TCP/UDP protocol.

1. Configure/map inside & DMZ:

static (inside,dmz) 10.0.0.0 10.1.0.0 netmask 255.255.255.0

2. Configure ACL and apply on DMZ and Inside interfaces

a. ACL for DMZ:

access-list acl_dmz permit icmp host 10.1.0.27 host 10.0.0.209

access-list acl_dmz permit tcp host 10.1.0.27 host 10.0.0.209 eq 1100

access-list acl_dmz permit udp host 10.1.0.27 host 10.0.0.209 eq 1100

access-list acl_dmz permit tcp host 10.1.0.27 host 10.0.0.209 eq 1105

access-list acl_dmz permit udp host 10.1.0.27 host 10.0.0.209 eq 1105

access-list acl_dmz permit tcp host 10.1.0.27 host 10.0.0.209 eq 3306

access-list acl_dmz permit udp host 10.1.0.27 host 10.0.0.209 eq 3306

access-list acl_dmz permit tcp host 10.1.0.27 host 10.0.0.209 eq 5432

access-list acl_dmz permit udp host 10.1.0.27 host 10.0.0.209 eq 5432

access-group acl_dmz in interface dmz --> check correct lower/uppercase

a. ACL for Inside - add to existing

access-list acl_inside permit icmp host 10.0.0.209 host 10.1.0.27

access-list acl_inside permit tcp host 10.0.0.209 host 10.1.0.27 eq 1100

access-list acl_inside permit udp host 10.0.0.209 host 10.1.0.27 eq 1100

access-list acl_inside permit tcp host 10.0.0.209 host 10.1.0.27 eq 1105

access-list acl_inside permit udp host 10.0.0.209 host 10.1.0.27 eq 1105

access-list acl_inside permit tcp host 10.0.0.209 host 10.1.0.27 eq 3306

access-list acl_inside permit udp host 10.0.0.209 host 10.1.0.27 eq 3306

access-list acl_inside permit tcp host 10.0.0.209 host 10.1.0.27 eq 5432

access-list acl_inside permit udp host 10.0.0.209 host 10.1.0.27 eq 5432

access-group acl_inside in interface inside --> check correct lower/uppercase

The above ACLs is allowing specific access from DMZ to Inside and vice-versa via the allowed TCP/UDP ports.

Just add IP addresses on both ACL (with port no) if you need to add more servers.

Hope this helps. Pls rate any all useful pos((s).

AK

New Member

Re: Communications Through PIX with ACL and NAT

Hi there,

Thanks for your post. My understanding was that if traffic was sourced on a higher security interface it could communicate with a lower security interface without the need for a ACL or NAT?

Also, does the following command:

static (inside,dmz) 10.0.0.0 10.1.0.0 netmask 255.255.255.0

replace my command of:

static (inside,dmz) 10.1.0.27 10.0.0.209 netmask 255.255.255.255 0 0

Many thanks again,

Dan

Re: Communications Through PIX with ACL and NAT

Hi Dan

Other option, say, if you map Inside's 10.0.0.209 to DMZ"s 10.1.0.27 with intention to allow other IP, example 10.1.0.100, in DMZ to access it, then your static map of "static (inside,dmz) 10.1.0.27 10.0.0.209 netmask 255.255.255.255 0 0" is correct (assuming I overlooked this).

Your static is mapping Inside's 10.0.0.209 to an unused DMZ's IP of 10.1.0.27, so that any hosts/servers in DMZ can access the Inside 10.0.0.209 server virtually as 10.1.0.27. This more or less like having the Inside server sitting in DMZ itself, and running on DMZ IP Address. This is TRUE if your DMZ need to first start/initiate the access.

Therefore, your access-list should be changed by replacing the 10.1.0.27 to IP Address of a server DMZ that really need to access the Inside host of 10.0.0.209 (but mapped as 10.1.0.27).

For example, assuming a DMZ server of 10.1.0.100 need to access the 10.0.0.209, then just changed the current (wrongly defined) 10.1.0.27 with 10.1.0.100. The 'host 10.0.0.209' was correct. Same goes to your static statement.

Example:

access-list acl_dmz permit tcp host 10.1.0.27 host 10.0.0.209 eq 1100

access-list acl_dmz permit udp host 10.1.0.27 host 10.0.0.209 eq 1105

access-list acl_dmz permit tcp host 10.1.0.27 host 10.0.0.209 eq 3306

access-list acl_dmz permit udp host 10.1.0.27 host 10.0.0.209 eq 3306

access-list acl_dmz permit tcp host 10.1.0.27 host 10.0.0.209 eq 5432

access-list acl_dmz permit udp host 10.1.0.27 host 10.0.0.209 eq 5432

access-list acl_dmz permit udp host 10.1.0.27 host 10.0.0.209 eq 1100

access-list acl_dmz permit icmp host 10.1.0.27 host 10.0.0.209

access-list acl_dmz permit tcp host 10.1.0.27 host 10.0.0.209 eq 1105

But if the Inside server also need to initiate/start the access, then go for the previous option. Just changed the source/destination IP accordingly.

static (inside,dmz)10.1.0.27 10.0.0.209 netmask 255.255.255.255

Anyway, can you tell what's the access plan looks like, i,e who should initiate the access/session first, or can both initiate the access? This will help to dictate actual config.

HTH

AK

New Member

Re: Communications Through PIX with ACL and NAT

Hi AK,

Both devices are going to need to initiate communications but my understanding was that the Inside - DMZ comms would not need an ACL.

From your recent comments, I think the first option is the best. Can you just explain to me why I need to use the command:

static (inside,dmz) 10.0.0.0 10.1.0.0 netmask 255.255.255.0

Many thanks,

Dan

Re: Communications Through PIX with ACL and NAT

This option allows you to map entire Inside subnet to DMZ subnet without need to use NAT. In other words, DMZ and Inside are seeing each other using their own IP address/subnet.

Basically, you're now able to connect from DMZ to Inside using Inside own IP Address, while Inside, at the same time, able to start/connect to DMZ using DMZ's original IP. You only need ACL to restict who can access what via what port on both side.

Cheers!

AK

307
Views
9
Helpful
5
Replies
CreatePlease to create content