Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Bypass NAT from DMZ to inside but not to outside

I have a PIX 515E with 3 interfaces. I've setup 2 interface pixes before but am finding the dmz more difficult so would really appreciate some advice!

inside=LANA + PRIVATE NETWORKS

dmz=LANB

outside=internet

LANA = 212.167.25.0/24 (example public address) and has links to many other private networks which are using various 10.0.0.0 private subnets

LANB is a private 10.2.2.0/24 network

Now I wish to set up the firewall in such a way that all traffic from inside to dmz and vice cersa is NOT NATed. However, to the internet I wish to PAT everything from dmz and inside networks except the LANA(Public range).

Could someone help me out with the correct global translations to achieve this please?

I was thinking perhaps:

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

nat (inside) 0 212.167.25.0 255.255.255.0 0

nat (dmz) 10 0.0.0.0 0.0.0.0 0 0

Now this will do interface PAT to the internet from everything except 212.167.25.0/24 am I correct? However, how do I setup the dmz interface to not NAT to inside, but to use the global to the internet?

Many thanks for any help you can give!

4 REPLIES
Purple

Re: Bypass NAT from DMZ to inside but not to outside

Hi,

Your config will work exactly as you intended. You do not have to worry about traffic from your DMZ to the inside zone getting NAT'ed. By default, NAT/PAT applies only to traffic from more secure interfaces to less secure interfaces. In this case, traffic would go from a less secure interface (DMZ) to a more secure interface (inside) so NAT'ing will not happen. If you did want that to happen, you would have to configure outside NAT.

Hope that helps - pls rate posts that help.

Regards,

Paresh

New Member

Re: Bypass NAT from DMZ to inside but not to outside

OK thats great, thanks for your help!

What about if I wanted to connect to hosts in the DMZ range though from the inside? As this is more secure to less secure won't this get NATed? If it is would I still have to setup a static translation for everything to itself even when using NAT 0 or is this unnecessary?

As I want all traffic from dmz to inside and inside to dmz to be allowed and not to NAT to each other could I set the dmz interface to security level 100 so that it's equal to the inside and bypass NAT that way or is this not possible?

Many thanks again

Re: Bypass NAT from DMZ to inside but not to outside

Unfortunatly the pix does not allow you to set two interfaces to the same security level and let traffic pass between them.

Patrick

Cisco Employee

Re: Bypass NAT from DMZ to inside but not to outside

Hi ,

Your config is fine ,however the behaviour of NAT withID 0 is somewhat different ,its called Identity NAT which means unless the connection is not iniytiated from higher security zone for which we have identity NAT configured,no one will be able to access it from lower security zone and as you have mentioned that you will also need to access inside zone from DMZ ,it may not work properly.

Do you have to access the LAN A + private network from DMZ ?

If yes then

remove

nat (inside) 0 212.167.25.0 255.255.255.0 0

and config this.

static (inside,outside) 212.167.25.0 212.167.25.0 netmask 255.255.255.0 0

static (inside,dmz) 212.167.25.0 212.167.25.0 netmask 255.255.255.0 0

static (inside,dmz) private_network private_network netmask x.x.x.x

Also make sure to configure the access list on DMZ to allow what all connection/hosts/port you want to allow from DMZ to Inside.

Hope this helps.

Regards,

Tanveer

234
Views
0
Helpful
4
Replies
CreatePlease to create content