We have a PIX 515E with 3 interfaces. The inside & dmz interfaces use "private" IP addresses, the outside interface uses a "public" ip address.
We have a web server on the DMZ that needs access to the internet through the "outside" interface of the firewall. We currently have "static (dmz, outside)" port translations, plus appropriate inbound access list (on the "outside" interface) which NAT's from "public" to the "private" IP of the web server, and allows access according to the inbound access-list.
Do I use "nat (dmz)" and "global (outside)" commands to enable the web server to access the internet ?? How does this NAT translation affect the current "static (dmz,outside)" commands and inbound access-list ?? Does the inbound access-list need allow return traffic to the external (NAT'd) address of the web-server ??
Any help or explanation would be much appreciated.
WIll allow all DMZ boxen to initiate connections to the outside world.
global ( dmz) 1 192.168.0.1-192.168.0.254 netmask 255.255.255.0
Will allow the inside interface and machines on it to access on the DMZ interface all machines with IPs from 192.168.0.1 thru ....254
So, you most likely need both. This nat translation won't effect you static and inbound ACL - those commands are to allow communication from the outside in, and these two are necessary for DMZ-out, and inside - DMZ respectively.
No, your inbound ACL on the outside int merely needs to allow for inbound http traffic to the statically mapped IP address. The PIX is stateful, and everything will be taken care of. The only way you could get in trouble is by creating an accesslist the is bound Inbound on the dmz interface, that could limit traffic leaving the web server and going into the pix on the DMZ int.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...