01-13-2009 06:13 AM - edited 03-11-2019 07:36 AM
Hi all,
I have a PIX 515 which no one needs and I was playing a bit trying to do this:
On the inside int I have 10.20.22.1 in Vlan 5 which has a SVI 10.20.22.254 on a L3 switch which at its turn is the default gateway for PC 1.
On the PIX another interface has 192.168.1.1 in vlan 6 with no SVI so the PIX is the default gateway for PC 2.
A PC2 is in this vlan.
I need to access PC1 from PC 2 and also internet and I did not really found how I have to do the NAT in the PIX from 192.168.1.0 to 10.20.22.254.
Inside has 100 sec level and the other int is 60.
Lets say that the outside int is connected to the internet and 10.20.22.0 is NAT-ed behind a public IP.
It's a PIX 6.3
Thanks,
V
Solved! Go to Solution.
01-13-2009 06:58 AM
Vlad
Apologies, i misunderstood.
nat (dmz) 1 192.168.1.0 255.255.255.0 dmz
global (inside) 1 interface
Note that you may or may not need the "dmz" keyword at the end of the NAT statement. If one doesn't work try the other.
Jon
01-13-2009 06:25 AM
V
So your pix has 3 interfaces - inside, outside and a DMZ interface ?
So for PC2 to access PC1
PC1 = 10.20.22.10
PC2 = 192.168.1.10
static (inside,dmz) 10.20.22.10 10.20.22.10 netmask 255.255.255.255
access-list dmz_in permit ip host 192.168.1.10 host 10.20.22.10
access-group dmz_in in interface dmz
For internet - assuming your outside interface has a public IP address
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
Jon
01-13-2009 06:37 AM
Jon,
Thanks for this. I did not express myself good and i apologize.
I wanted to NAT the LAN in the DMZ behind an IP in Vlan 5 because the L3 switch has routes to other networks such as 10.8.6.0, 10.8.74.2
Which are very well accessible from vlan5.
Thx
vlad
01-13-2009 06:58 AM
Vlad
Apologies, i misunderstood.
nat (dmz) 1 192.168.1.0 255.255.255.0 dmz
global (inside) 1 interface
Note that you may or may not need the "dmz" keyword at the end of the NAT statement. If one doesn't work try the other.
Jon
01-13-2009 07:01 AM
we posted in the same time! :)
Thanks a lot
Vlad
01-13-2009 06:59 AM
I found this in an old document but I am not sure what exactly it does.
It was not explained .
nat (dmz) x 192.168.1.0 255.255.255.0 outside
global (inside) x 10.20.22.11
Thanks,
Vlad
01-16-2009 01:25 AM
Good One Jon!
please I need to explain the Static nat example you wrote to one of my Colleague. Could you please help to explain "Static (inside,dmz) 10.20.22.10 10.20.22.20 netmask 255.255.255.255", why the IP address are the same or send me link on this ?
Thanks
01-16-2009 03:59 AM
Dave
"why the IP address are the same"
It's a bit of a pix idiosyncracy. Assuming you are using NAT ie. you have not disabled nat with "no nat-control" then for traffic to be allowed from a lower to a higher security interface you need 2 things
1) a static NAT translation
2) an access-list rule allowing the traffic
So you have a host on the inside with an IP address of 10.20.22.10 and you want to access it from the DMZ. You want to be able to connect to the host on the inside using it's real IP address.
Now on other vendor firewalls i have worked with you wouldn't need a NAT rule for this because you only need a NAT rule when you to change the IP address. But because of rule 1 above you still have to set up a NAT rule even though you want to use the same address hence the reason you end up with
static (inside,DMZ) 10.20.22.10 10.20.22.10 netmask 255.255.255.255
Like i say i have only come across this on a pix/asa.
Jon
01-16-2009 04:34 AM
Thanks ,
I will give it a try on Nokia Firewall ,hope that will work as well.
DAK
01-19-2009 12:12 PM
Ade,
this Static Nat algorithm does not apply to Nokia checkpoint, only pix.
01-19-2009 12:13 PM
Ade,
this Static Nat algorithm does not apply to Nokia checkpoint, only pix.
01-20-2009 12:33 AM
Thanks FRANCIS ,
You are right!
01-20-2009 04:32 AM
i am glad you found this topic interesting , but now I would like to post the solution for this PIX 6.3 issue in case someone is interested.
There is no bug as we previous;y thought and no static is needed.
The only thing needed to make the DMZ access the inside is the NAT command and also the NAT 0.
So something like this:
nat (DMZ) 1 192.168.1.0 255.255.255.0 outside
Global (Inside) 1 interface
nat (inside) 0 access-list dmz_in
where dmz-in is:
access-list dmz_in permit ip inside_lan 192.168.1.0
Regards,
vlad
01-21-2009 12:27 AM
Hi John,
What of if there is nat0 ( No nat) ,How would the static Nat look like.
DAK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide