07-14-2006 05:19 AM - edited 03-09-2019 03:35 PM
hello
sorry but i have a problem
i have a pix firewall 515 with 3 interface inside dmz and outside
inside 10.34.10.0
dmz 192.168.1.0
outside 151.x.x.x
i need to reach from inside the dmz client and opposite, without nat, and the dmz to get internet with nat.
I configured
nat (dmz) 2 192.168.1.0 255.255.255.0 0 0
global (outside) 2 151.x.x.1
access-list dmz_inside_in line 1 permit ip 192.168.1.0 255.255.255.0 any
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
I don't reach the host from inside to dmz and opposite
07-14-2006 06:01 AM
if you don't want NAT use the special 0 NAT group
nat (inside) 0 192.168.1.0 255.255.255.0
This disables the NAT process.
When going from a higher (inside) to lower (dmz) interface, you don't - by default - need to specify an ACL. Of course, your acl doesn't actually do anything unless you apply it.
HTH,
Terry
07-14-2006 06:16 AM
thanks
but i need use nat for internet from dmz,
and don't use nat from dmz to inside.
07-14-2006 02:01 PM
Hi,
Do the following :
static
Static
I hope this is helpful!
I think this document will help you.
Plz. rate if it does!
Thanks
Abd Alqader
07-14-2006 01:51 PM
The old rule used to be "high security -> low = nat+global, low -> high = static+ACL", although it gets more confusing when you have more interfaces and don't always want to NAT.
A traffic flow is always source->destination and therefore only involves two interfaces. So think of your traffic as being flows between two interfaces. Here we have two flows: when dmz accesses internet dmz=high, internet=low; when dmz accesses inside, inside=high, dmz=low. Therefore you're needing nat+global for the dmz->internet, and static for dmz->inside.
You have the correct lines to NAT your internet access:
nat (dmz) 2 192.168.1.0 255.255.255.0 0 100
global (outside) 2 151.x.x.1
The next line allows inside IPs to be visible to dmz (you still need ACL to permit traffic):
static (inside,dmz) 10.34.10.0 10.34.10.0 netmask 255.255.255.0
07-25-2006 12:54 AM
guru's, what if, in this exact situation, i want to NAT the source addresses of traffic coming from DMZ to inside? Is that possible?
And what actually happens when you reverse the interfaces in the static line?
Like: static (DMZ,inside) x.x.x.x x.x.x.x netmask x.x.x.x
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: