Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 515e Static NAT/DMZ Issue

I have a 515e, 6.3(4) with an internal interface and a DMZ. The DMZ interface is 10.0.20.1 and the outside interface is 69.xxx.yyy.188/28

I have setup a web server which is currently the only device in the DMZ. I need to make a static mapping to this box but for some reason I just can't get it to work. The web server's local address is 10.0.20.100 and the public address that I need to statically map it to is 69.xxx.yyy.187/28

Here's my config so far:

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside 69.xxx.yyy.188 255.255.255.240

ip address inside 192.168.20.1 255.255.255.0

ip address dmz 10.0.20.1 255.255.255.0

access-list dmz_in permit ip any any

access-list outside_in permit ip host 69.xxx.yyy.187 any

global (outside) 1 interface

global (dmz) 1 10.0.20.110-10.0.20.120

nat (inside) 1 Inside_LAN 255.255.255.0 0 0

nat (dmz) 1 dmz 255.255.255.0 0 0

static (outside,dmz) 10.0.20.100 69.xxx.yyy.187 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

access-group dmz_in in interface dmz

I have the access-lists open for troubleshooting purposes... The global (dmz) statement is temporary so that I can access the DMZ from my inside network.

Any help would be greatly appreciated.

Thanks,

Paul

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: PIX 515e Static NAT/DMZ Issue

Haha, no offense you never know who you're dealing with. There was a similar post here within the last few days. I believe it was an arp issue on the isp router. Something to consider.

14 REPLIES
New Member

Re: PIX 515e Static NAT/DMZ Issue

Paul

You need to make the static mapping from the high security to low security interface:

i.e

static (dmz,outside) 69.xx.yy.187 10.0.20.100 netmask 255.255.255.255

As you are allowing access from a low to high security interface you need an acl which should go as follows:

access-list outside_in permit ip any host 69.xx.yy/187

Above allows access from any ip to your web server.

Regds

New Member

Re: PIX 515e Static NAT/DMZ Issue

Thanks for the reply-

I actually got that line wrong in my posting. I do have static (dmz,outside) and not the other way around.

I did change my access list, as you were correct with that, but it still does not work. The access-list doesn't show any hits, either.

Any other suggestions?

Thanks,

Paul

Green

Re: PIX 515e Static NAT/DMZ Issue

Post you new config.

New Member

Re: PIX 515e Static NAT/DMZ Issue

Here is the newer config:

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside 69.xxx.yyy.188 255.255.255.240

ip address inside 192.168.20.1 255.255.255.0

ip address dmz 10.0.20.1 255.255.255.0

access-list dmz_in permit ip any any

access-list outside_in permit ip any host 69.xxx.yyy.187

global (outside) 1 interface

global (dmz) 1 10.0.20.110-10.0.20.120

nat (inside) 1 Inside_LAN 255.255.255.0 0 0

nat (dmz) 1 dmz 255.255.255.0 0 0

static (dmz,outside) 69.xxx.yyy.187 10.0.20.100 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

access-group dmz_in in interface dmz

Green

Re: PIX 515e Static NAT/DMZ Issue

Nothing wrong there, clear xlate?

New Member

Re: PIX 515e Static NAT/DMZ Issue

Did it. Still no dice. That's why I'm so confused!

Green

Re: PIX 515e Static NAT/DMZ Issue

Have you tried using the interface ip instead just to see if that works.

access-list outside_in permit ip any interface outside

static (dmz,outside) interface 10.0.20.100 netmask 255.255.255.255 0 0

New Member

Re: PIX 515e Static NAT/DMZ Issue

This PIX is actually in production right now, and there's no chance that I can do that, at least during business hours...

P

Green

Re: PIX 515e Static NAT/DMZ Issue

You are trying to hit 69.xxx.yyy.187 from outside the firewall right?

New Member

Re: PIX 515e Static NAT/DMZ Issue

Yes. I'm not THAT much of a newbie!

When inside of the network, however, I notice that as soon as I put in the static command the server loses internet access. It works fine with PAT, but of course then it isn't accessible from the outside.

Green

Re: PIX 515e Static NAT/DMZ Issue

Haha, no offense you never know who you're dealing with. There was a similar post here within the last few days. I believe it was an arp issue on the isp router. Something to consider.

Hall of Fame Super Blue

Re: PIX 515e Static NAT/DMZ Issue

Hi

It shouldn't make a difference but you do have overlapping NAT statements ie

global (outside) 1 interface

nat (dmz) 1 dmz 255.255.255.0 0 0

static (dmz,outside) 69.xxx.yyy.187 10.0.20.100 netmask 255.255.255.255 0 0

If the web server is the only device in the DMZ could you not just remove your

nat(dmz) 1 dmz 255.255.255.0 0 0 statement.

Jon

New Member

Re: PIX 515e Static NAT/DMZ Issue

Yeah, I know. I had that there because if I remove the static statement then I can get internet access on the box.

One thing that I just noticed - not sure if it makes a difference - on my internet router if I do a sh ip arp I see the arp from .187 as being incomplete.

Any thoughts?

New Member

Re: PIX 515e Static NAT/DMZ Issue

Mr. Comiskey-

Thanks for all of your help. You actually pointed me in the right direction to find the answer: The other guy that had this issue fixed it by turning on proxyarp. Worked for me too.

no sysopt noproxyarp outside

There it was, all along.

Thanks, guys

Paul

335
Views
0
Helpful
14
Replies