Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

PIX 515 6.3 DMZ

Hi all,

I have a PIX 515 which no one needs and I was playing a bit trying to do this:

On the inside int I have 10.20.22.1 in Vlan 5 which has a SVI 10.20.22.254 on a L3 switch which at its turn is the default gateway for PC 1.

On the PIX another interface has 192.168.1.1 in vlan 6 with no SVI so the PIX is the default gateway for PC 2.

A PC2 is in this vlan.

I need to access PC1 from PC 2 and also internet and I did not really found how I have to do the NAT in the PIX from 192.168.1.0 to 10.20.22.254.

Inside has 100 sec level and the other int is 60.

Lets say that the outside int is connected to the internet and 10.20.22.0 is NAT-ed behind a public IP.

It's a PIX 6.3

Thanks,

V

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: PIX 515 6.3 DMZ

Vlad

Apologies, i misunderstood.

nat (dmz) 1 192.168.1.0 255.255.255.0 dmz

global (inside) 1 interface

Note that you may or may not need the "dmz" keyword at the end of the NAT statement. If one doesn't work try the other.

Jon

13 REPLIES
Hall of Fame Super Blue

Re: PIX 515 6.3 DMZ

V

So your pix has 3 interfaces - inside, outside and a DMZ interface ?

So for PC2 to access PC1

PC1 = 10.20.22.10

PC2 = 192.168.1.10

static (inside,dmz) 10.20.22.10 10.20.22.10 netmask 255.255.255.255

access-list dmz_in permit ip host 192.168.1.10 host 10.20.22.10

access-group dmz_in in interface dmz

For internet - assuming your outside interface has a public IP address

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Jon

New Member

Re: PIX 515 6.3 DMZ

Jon,

Thanks for this. I did not express myself good and i apologize.

I wanted to NAT the LAN in the DMZ behind an IP in Vlan 5 because the L3 switch has routes to other networks such as 10.8.6.0, 10.8.74.2

Which are very well accessible from vlan5.

Thx

vlad

Hall of Fame Super Blue

Re: PIX 515 6.3 DMZ

Vlad

Apologies, i misunderstood.

nat (dmz) 1 192.168.1.0 255.255.255.0 dmz

global (inside) 1 interface

Note that you may or may not need the "dmz" keyword at the end of the NAT statement. If one doesn't work try the other.

Jon

New Member

Re: PIX 515 6.3 DMZ

we posted in the same time! :)

Thanks a lot

Vlad

New Member

Re: PIX 515 6.3 DMZ

I found this in an old document but I am not sure what exactly it does.

It was not explained .

nat (dmz) x 192.168.1.0 255.255.255.0 outside

global (inside) x 10.20.22.11

Thanks,

Vlad

New Member

Re: PIX 515 6.3 DMZ

Good One Jon!

please I need to explain the Static nat example you wrote to one of my Colleague. Could you please help to explain "Static (inside,dmz) 10.20.22.10 10.20.22.20 netmask 255.255.255.255", why the IP address are the same or send me link on this ?

Thanks

Hall of Fame Super Blue

Re: PIX 515 6.3 DMZ

Dave

"why the IP address are the same"

It's a bit of a pix idiosyncracy. Assuming you are using NAT ie. you have not disabled nat with "no nat-control" then for traffic to be allowed from a lower to a higher security interface you need 2 things

1) a static NAT translation

2) an access-list rule allowing the traffic

So you have a host on the inside with an IP address of 10.20.22.10 and you want to access it from the DMZ. You want to be able to connect to the host on the inside using it's real IP address.

Now on other vendor firewalls i have worked with you wouldn't need a NAT rule for this because you only need a NAT rule when you to change the IP address. But because of rule 1 above you still have to set up a NAT rule even though you want to use the same address hence the reason you end up with

static (inside,DMZ) 10.20.22.10 10.20.22.10 netmask 255.255.255.255

Like i say i have only come across this on a pix/asa.

Jon

New Member

Re: PIX 515 6.3 DMZ

Thanks ,

I will give it a try on Nokia Firewall ,hope that will work as well.

DAK

New Member

Re: PIX 515 6.3 DMZ

Ade,

this Static Nat algorithm does not apply to Nokia checkpoint, only pix.

New Member

Re: PIX 515 6.3 DMZ

Ade,

this Static Nat algorithm does not apply to Nokia checkpoint, only pix.

New Member

Re: PIX 515 6.3 DMZ

Thanks FRANCIS ,

You are right!

New Member

Re: PIX 515 6.3 DMZ

i am glad you found this topic interesting , but now I would like to post the solution for this PIX 6.3 issue in case someone is interested.

There is no bug as we previous;y thought and no static is needed.

The only thing needed to make the DMZ access the inside is the NAT command and also the NAT 0.

So something like this:

nat (DMZ) 1 192.168.1.0 255.255.255.0 outside

Global (Inside) 1 interface

nat (inside) 0 access-list dmz_in

where dmz-in is:

access-list dmz_in permit ip inside_lan 192.168.1.0

Regards,

vlad

New Member

Re: PIX 515 6.3 DMZ

Hi John,

What of if there is nat0 ( No nat) ,How would the static Nat look like.

DAK

198
Views
8
Helpful
13
Replies
CreatePlease to create content