06-12-2006 09:44 AM - edited 02-20-2020 09:37 PM
I have a DMZ that has DHCP configured with a range of 25 addresses. There are laptops that connect to wireless in the DMZ which have Integrity Agent installed on them, and are trying to contact an Integrity server located on the inside using port 5054. My problem is how do I account for these laptop users NAT translation so they can access the inside Integrity server without keying in 25 separate static (inside,DMZ) statements? Does some alternative solution exist?
Thank you,
Bill
06-12-2006 09:49 AM
I would try using policy PAT. Specify the 25 addresses in the policy access-list and translate them to a single address or interface address.
06-12-2006 10:18 AM
here is an example that might help:
access-list nat_DMZ_pool1_in_0 permit tcp 192.168.10.96 255.255.255.224 host 10.1.1.3 eq 5054
nat (DMZ) 1 access-list nat_DMZ_pool1_in_0 DMZ
The PAT pool (1) I used was 10.1.1.2
I used 192.168.10.1 as the DMZ address and 10.1.1.1 as the inside address for interfaces.
10.1.1.3 is the address of the inside server
06-12-2006 11:34 AM
I think I understand the concept, use and access list to select traffic to apply a nat pool to, but am having difficulty with the config.
i've created the access list to capture the hosts in the DHCP pool
access-list nat_DMZ_pool2_in permit tcp 192.168.32.96 255.255.255.224 host 10.6.6.15 eq 5054
then i configured nat
nat (DMZ) 2 access-list nat_DMZ_pool2_in 0 0
and the pool 2
global (DMZ) 2 192.168.32.5
my DMZ int add is 192.168.32.1
my inside host is 10.6.6.15 port 5054
Finally, I added a line to the access-list currently applied to my DMZ interface
access-list dmz_access_in permit tcp host 192.168.32.5 host 10.6.6.15 eq 5054
But I'm missing something cause it's not working yet.
06-12-2006 12:46 PM
change your access list applied to the DMZ interface to allow any source to the destination and see what happens. I am currently testing this on a PIX in my lab. I may have the policy PAT a bit off. When I am finished, I will post any changes I see that may be needed.
06-13-2006 05:24 AM
Changed the access-list, but still having trouble. I've attached an error the PDM produces about not supporting the policy nat commands in my config. Also, here is part of my config.
access-list dmz_access_in remark Access to Integrity
access-list dmz_access_in permit tcp any host 10.6.6.15 eq 5054
access-list nat_DMZ_pool2_in permit tcp 192.168.10.96 255.255.255.224 host 192.168.32.99 eq 5054 (also trid using access-list nat_DMZ_pool2_in permit tcp any host 192.168.32.99 eq 5054)
global (outside) 1 interface
global (DMZ) 1 interface
global (DMZ) 2 192.168.32.5
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 2 access-list nat_DMZ_pool2_in 0 0
nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
access-group dmz_access_in in interface DMZ
thank you
06-16-2006 10:39 AM
I've found part of it. Found a sample config in my CCSP book.
nat (DMZ) 1 192.168.32.96 255.255.255.224 outside
global (inside) 1 10.4.0.50
The outside keyword in the nat statement is what did the trick. This statement allows my Integrity clients access to the integrity server, along with the access list. However, as soon as I apply that statement, my ability to reach the DMZ from the inside is lost.
06-19-2006 05:29 AM
How is your NAT to the DMZ handled? if it is a pool, then this is understandable. If it is, try changing your access from inside to DMZ to an Interface PAT.
06-19-2006 08:49 AM
No, I was using interface PAT. It's strange, I haven't been able to figure it out yet, but now it is working without translation...I setup the ACL on the DMZ to allow traffic from that subset of hosts, 192.168.32.96/28, and communication now occurs between dmz hosts and the integrity server.
access-list dmz_access_in remark Access to Integrity
access-list dmz_access_in permit tcp 192.168.32.96 255.255.255.224 host 10.6.6.15 eq 5054
HummPIX-515# sh global
global (outside) 1 interface
global (inside) 1 interface
global (DMZ) 1 interface
HummPIX-515# sh run | include nat
access-list inside_outbound_nat0_acl permit ip any 10.1.100.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
06-19-2006 12:34 PM
Does the Server do a push to the clients, or do the clients contact the server for updates?
Do you have "nat control" turned off?
06-21-2006 04:08 AM
The clients check in with the server, initially when they connect to the network, and then periodically while connected. I'm not sure what "nat control" is?
06-21-2006 07:08 AM
Nat control allows or denies traffic through your firewall with or without natting.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide