Solved: NAT configuration on a PIX

jgagznos · ‎04-20-2010

Can anyone tell me what these NAT statements are doing? Is this just a way of doing a NAT exemption between two interfaces?

static (DMZ,inside) 172.22.8.0 172.22.8.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 172.22.9.0 172.22.9.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.167.0 192.168.167.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.77.0 192.168.77.0 netmask 255.255.255.0 0 0

Thanks!

Jon Marshall · ‎04-20-2010

jgagznos wrote:
Can anyone tell me what these NAT statements are doing?  Is this just a way of doing a NAT exemption between two interfaces?
static (DMZ,inside) 172.22.8.0 172.22.8.0 netmask 255.255.255.0 0 0 
static (DMZ,inside) 172.22.9.0 172.22.9.0 netmask 255.255.255.0 0 0 
static (DMZ,inside) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0 
static (DMZ,inside) 192.168.167.0 192.168.167.0 netmask 255.255.255.0 0 0 
static (DMZ,inside) 192.168.77.0 192.168.77.0 netmask 255.255.255.0 0 0
Thanks!

They are presenting the DMZ networks to the inside as the same addresses. So in effect you are Natting but only to the same addresses.

Why this is happening i'm not sure as it is more common to see -

static (inside,DMZ) .... statements because you do not need a static statement to go from a higher to lower security interface so not sure what they are achieving.

Jon

View solution in original post

Jon Marshall · ‎04-20-2010

jgagznos wrote:
Can anyone tell me what these NAT statements are doing?  Is this just a way of doing a NAT exemption between two interfaces?
static (DMZ,inside) 172.22.8.0 172.22.8.0 netmask 255.255.255.0 0 0 
static (DMZ,inside) 172.22.9.0 172.22.9.0 netmask 255.255.255.0 0 0 
static (DMZ,inside) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0 
static (DMZ,inside) 192.168.167.0 192.168.167.0 netmask 255.255.255.0 0 0 
static (DMZ,inside) 192.168.77.0 192.168.77.0 netmask 255.255.255.0 0 0
Thanks!

They are presenting the DMZ networks to the inside as the same addresses. So in effect you are Natting but only to the same addresses.

Why this is happening i'm not sure as it is more common to see -

static (inside,DMZ) .... statements because you do not need a static statement to go from a higher to lower security interface so not sure what they are achieving.

Jon

jgagznos · ‎04-20-2010

Thanks, Jon - that makes sense and clarifies things for me. I'm thinking that some of these statements are not really necessary (as you pointed out). I appreciate the response!

itrsllcceo · ‎04-20-2010

It may be in use to allow Devices on the DMZ to make inbound connections, since most Inside addresses get PAT'd. So, if something needs to come Inside from the DMZ this would address the NAT requirement, but you would still need an ACL to allow the lower to higher communication.

Jon Marshall · ‎04-20-2010

itrsllcceo wrote:

It may be in use to allow Devices on the DMZ to make inbound connections, since most Inside addresses get PAT'd. So, if something needs to come Inside from the DMZ this would address the NAT requirement, but you would still need an ACL to allow the lower to higher communication.

Richard

Thats not quite correct. If devices on the DMZ need to make inbound connections to the inside then you would use a

static (inside,DMZ) .. statement.

so

static (inside,DMZ) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 means

1) any inside source addresses of 192.168.5.x going to the DMZ will be presented as 192.168.5.x on the DMZ

2) any destination addresses of 192.168.5.x from devices on the DMZ to the inside will go to the same 192.168.5.x address on the inside

static (DMZ,inside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 means

1) any DMZ source addresses of 192.168.5.x going to the inside will be presented as 192.168.5.x on the inside

2) any destination addresses of 192.168.5.x from devices on the inside will go to the same 192.168.5.x address on the DMZ

put more simply the static (inside,DMZ) statement assumes the IPs of 192.168.5.x are on the inside machines and the static (DMZ,inside) assumes the IPs of 192.168.5.x are on the DMZ machines.

Jon