I was trying to configure outside nat to allow a host on the dmz (FLSM) interface to telnet to a host on the inside interface. I gave up and called cisco tac. They were able to get it to work for me by combining a nat 0 command with outside nat. But I don't understand how this works. There's a good possiblity that I'll have to duplicate, troubleshoot or modify the configuration and I want to know how this works before I get into a situation where I'm making changes and not understanding their impact.
The main rule that I follow when tshooting/understanding the pix is that it goes:
Into the interface>ACL>NAT>Routing>out another interface.
It looks to me like:
1. traffic hits the FLSM interface
2. traffic passes the ACL (permit ip any any)
3. trafic from the FLSM interface to the inside is not being nat'd via the nat 0 command except for traffic to 192.168.3.3
3. the line "static (inside,FLSM) 192.168.3.3 192.168.3.3 netmask 255.255.255.255 0 0" lets the pix accept traffic for that ip on the FLSM interface
4. the pix forwards the traffic out the inside interface to the real host 192.168.3.3
Even that doesn't quite seem to make sense.
Why is there a nat 0 command at all?
Why is 192.168.3.3 not not nat'd? (Not a typo.)
Where does the outside nat statement get applied "nat (FLSM) 2 192.168.110.0 255.255.255.0 outside 0 0"?
Here's the config:
515e# sh ru
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 FLSM security50
enable password xxx encrypted
passwd xxx encrypted
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list FLSM permit ip any any
access-list FLSM1 deny ip any host 192.168.3.3
access-list FLSM1 permit ip any 192.168.0.0 255.255.0.0
is presenting the internal server 192.168.3.3 to the DMZ as 192.168.3.3. It's a peculiarity of the pix that even when you don't want to change the address you still have to set up NAT. With other vendor firewalls you don't need this.
The second bit is a bit more confusing. The nat (FLSM) 0 statement says do no translate the DMZ addresses to anything else. So within your network there must be a route back to the 192.168.110.0 DMZ network.
I agree that the nat FLSM 2 statement is confusing. What this is saying is tranlsate all the DMZ 192.168.110.0 addresses to the inside interface address when traffic comes from the DMZ to the inside.
I suspect the nat 0 is overriding this. Either should work as far as i can see.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...