Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
569
Views
0
Helpful
4
Replies

Conditional Outbound NAT for DMZ Client

rcheesemaniii
Level 1
Level 1

‎12-17-2001 06:30 AM - edited ‎03-08-2019 09:25 PM

Looking for an example of conditionally NAT-ing a DMZ host's, outbound communications to the Internet. See below.

PIX Firewall 520 Ver. 5.3(2)

Outside Subnet - Public Internet Addressing

DMZ Subnet - Private Addressing 10.175.254.0/24

Client in DMZ Segment - 10.175.254.12

Normally for all outbound communications, DMZ clients are NAT-ed to the external Public Addressing via a global pool. For Inbound communications, they are Statically NAT-ed from the public subnet to the DMZ subnet.

Goal:

To conditionally NAT this DMZ client's outbound commmunications to a 10.254.44.12/24 address when he communicates to a specific host on the Internet. He still needs the ability to utilize the global public address space for all other outbound communications.

Labels:
0 Helpful
4 Replies 4

rrbleeker
Level 1
Level 1

‎12-17-2001 04:33 PM

Robert,

I can not see that as a possible setting on the PIX. You can determine which host can setup outbound connections, but it is not possible to use different IP addresses for different traffic.

0 Helpful

jflakker
Level 1
Level 1

‎12-19-2001 10:52 PM

As far as I know the PIX is not capable of such a configuration. Besides, most internet providers will not route packets destined for addresses defined by RFC1918 (internal addresses).

0 Helpful

ross.filipek
Level 1
Level 1

‎12-20-2001 06:17 AM

This can actually be done in your perimeter router if it's a Cisco. You'd want to NAT 0 the DMZ client, but then setup a conditional static using a route-map in your perimeter router. It's a relatively new feature (introduced in 12.2(4)T). Check out http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftnatrt.htm for the details.

0 Helpful

jflakker
Level 1
Level 1
In response to ross.filipek

‎12-21-2001 07:48 AM

Policy based routing will work fine. However, there is still the issue of the source address being un-routable. (it is in the 10.0.0.0 network.)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents