Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.
During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.
We apologize for the inconvenience while we perform important updates to the Community.
I have a PIX 515 which no one needs and I was playing a bit trying to do this:
On the inside int I have 10.20.22.1 in Vlan 5 which has a SVI 10.20.22.254 on a L3 switch which at its turn is the default gateway for PC 1.
On the PIX another interface has 192.168.1.1 in vlan 6 with no SVI so the PIX is the default gateway for PC 2.
A PC2 is in this vlan.
I need to access PC1 from PC 2 and also internet and I did not really found how I have to do the NAT in the PIX from 192.168.1.0 to 10.20.22.254.
Inside has 100 sec level and the other int is 60.
Lets say that the outside int is connected to the internet and 10.20.22.0 is NAT-ed behind a public IP.
It's a PIX 6.3
Solved! Go to Solution.
So your pix has 3 interfaces - inside, outside and a DMZ interface ?
So for PC2 to access PC1
PC1 = 10.20.22.10
PC2 = 192.168.1.10
static (inside,dmz) 10.20.22.10 10.20.22.10 netmask 255.255.255.255
access-list dmz_in permit ip host 192.168.1.10 host 10.20.22.10
access-group dmz_in in interface dmz
For internet - assuming your outside interface has a public IP address
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
Thanks for this. I did not express myself good and i apologize.
I wanted to NAT the LAN in the DMZ behind an IP in Vlan 5 because the L3 switch has routes to other networks such as 10.8.6.0, 10.8.74.2
Which are very well accessible from vlan5.
I found this in an old document but I am not sure what exactly it does.
It was not explained .
nat (dmz) x 192.168.1.0 255.255.255.0 outside
global (inside) x 10.20.22.11
Good One Jon!
please I need to explain the Static nat example you wrote to one of my Colleague. Could you please help to explain "Static (inside,dmz) 10.20.22.10 10.20.22.20 netmask 255.255.255.255", why the IP address are the same or send me link on this ?
"why the IP address are the same"
It's a bit of a pix idiosyncracy. Assuming you are using NAT ie. you have not disabled nat with "no nat-control" then for traffic to be allowed from a lower to a higher security interface you need 2 things
1) a static NAT translation
2) an access-list rule allowing the traffic
So you have a host on the inside with an IP address of 10.20.22.10 and you want to access it from the DMZ. You want to be able to connect to the host on the inside using it's real IP address.
Now on other vendor firewalls i have worked with you wouldn't need a NAT rule for this because you only need a NAT rule when you to change the IP address. But because of rule 1 above you still have to set up a NAT rule even though you want to use the same address hence the reason you end up with
static (inside,DMZ) 10.20.22.10 10.20.22.10 netmask 255.255.255.255
Like i say i have only come across this on a pix/asa.
i am glad you found this topic interesting , but now I would like to post the solution for this PIX 6.3 issue in case someone is interested.
There is no bug as we previous;y thought and no static is needed.
The only thing needed to make the DMZ access the inside is the NAT command and also the NAT 0.
So something like this:
nat (DMZ) 1 192.168.1.0 255.255.255.0 outside
Global (Inside) 1 interface
nat (inside) 0 access-list dmz_in
where dmz-in is:
access-list dmz_in permit ip inside_lan 192.168.1.0