01-16-2004 08:02 PM - edited 03-09-2019 06:09 AM
is it possible to access a server in DMZ with both public IP (With DNAT by alias command) and private IP (With NAT0 while going from inside to DMZ with real ip of DMZ server)?
we got a requirement with PIX for....few hosts in inside netwrok (From the same subnet)should access DMZ server with real ip (Private) and and few others with Public ip address (Static translated from DMZ to outside).
Thanks for your time.
01-17-2004 03:25 PM
I dont think it is possible. once alias command is in place, it will always try to do its function. u can try to do static translation with access-list along with DNAT , (not alias)
01-17-2004 09:01 PM
I dont understand the difference between doing DNAT with alias command and static command, is there any difference?
could u post the configuration that u think?
01-18-2004 07:23 PM
Hi,
Basically ,functioning wise, no difference. BUT
using DNAT, you have the luxury to define access-lists in your static translation which you cant do otherwise with Alias.
basically you need to combine policy nat (as per this link http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601) with DNAT
DNAT is nothing more than using a static translation like this
static (high,low)
I am just giving you an idea, need to work on the exact example though
01-19-2004 11:39 PM
Hi Nadeem,
The below works on PIX515E-UR with 6.3(3).
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
names
name 192.168.2.10 WWW-MAIL-DNS
name 192.168.1.100 pdm-inside
name 210.210.210.50 PUBLICMAILServer
access-list nonat permit ip host pdm-inside host WWW-MAIL-DNS
access-list nonat permit ip host pdm-inside host PUBLICMAILServer
ip address outside 210.210.210.1 255.255.255.0
ip address inside 192.168.1.250 255.255.255.0
ip address DMZ 192.168.2.250 255.255.255.0
global (outside) 1 201.201.201.100
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (DMZ,outside) PUBLICMAILServer WWW-MAIL-DNS netmask 255.255.255.255 0 0
alias (inside) 210.210.210.50 192.168.2.10
conduit permit icmp any any echo-reply
route outside 0.0.0.0 0.0.0.0 210.210.210.200 1
Above configuration is with "alias" for DNAT.
I also tried the DNAT by static Command as below
static (DMZ,inside) 210.210.210.50 192.168.2.10
In either case result is same. I can access DMZ server with both public (210.210.210.50) and private (192.168.2.10) with most of the services running on TCP and UDP. Only PING fails with real ip. Anyway PING is not required for customer.
If I am not mistaken syntax for DNAT with static is
static (low,high)
is nt it? Please update me if there any problem with the above config.
Thanks for your time.
Subba
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide