Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 515E V 8.0 (3) DMZ question

Hi,

A company is switching the ISP so PIX515E IP needs to be changed. I found that the DMZ interface is using a public IP and a web sever is using a puplic IP as well. Please see the configuration below:

...

name 206.x.x.211 DMZ-WEB

...

interface ethernet0

nameif outside

security-level 0

ip address 206.x.x.194 255.255.255.240

ospf cost 10

...

Interfase Ethernet 2

speed 100

nameif DMZ

security-level 4

ip address 206.x.x.209 255.255.255.240

ospf cost 10

...

static (DMZ, outside) DMZ-WEB DMZ-WEB netmask 255.255.255.255

...

I found the web server is using IP 206.x.x.211 as its IP.

My question is:

1. Is this a normal configuration?

2. NAT translates its self, is it a good idea?

Thanks,

6 REPLIES

Re: PIX 515E V 8.0 (3) DMZ question

You see this often. I personally prefer to use a private address space, but using the public is OK. The ACL is more important than the NAT.

Cisco Employee

Re: PIX 515E V 8.0 (3) DMZ question

Even though it is not very common it is not wrong.

Usually people use local ip addresses in their dmz and translate them to global ones when going to the outside. That is usually because they don't have enough global ip addresses for their inside.

In your case, as long as you have the ips available I don't see a reason why you should not do identity nat and use the global ip addresses on the inside.

I hope it helps.

PK

New Member

Re: PIX 515E V 8.0 (3) DMZ question

Thank you for the help.

The current configuration is using two blocks of /28 IP, one for outside, one for the DMZ and one web server.

We'll switch to a new ISP and only one block of global IP can be used. So we'll use a private IP for the DMZ interface and will modify the "static" and "name" statement to do a real NAT. Is there any other command line need to be changed as well?

Thanks!

RQ

New Member

Re: PIX 515E V 8.0 (3) DMZ question

hi,

You would need also to change your outside ACL to authorize incoming traffic on related servers ports to new NAT(s) global IP address(es).

Regards

New Member

Re: PIX 515E V 8.0 (3) DMZ question

Thanks!

You're right. But I found that there're some ACLs like:

access-list outside_access_in extended permit tcp any host DMZ-WEB eq www

because the host is using a defind name "DMZ_WEB" so after name definition changed this ACL I don't hae to change it, right?

I may need to add some lines to permit inside users to access the web site or server. right?

The current configuration was done by ASDM, some places are hard to read. If I change it using CLI, can the change be seen in the ASDM screen?

I'm not a expert of PIX, so please advice!

I really appreciate it

RQ

New Member

Re: PIX 515E V 8.0 (3) DMZ question

One more question:

access-list outside_access_in extened...

and

access-list acl_out extened...

should be same?

PIX OS 8.0 has a lot of changes.

Thanks,

RQ

141
Views
0
Helpful
6
Replies
CreatePlease to create content