12-17-2001 06:30 AM - edited 03-08-2019 09:25 PM
Looking for an example of conditionally NAT-ing a DMZ host's, outbound communications to the Internet. See below.
PIX Firewall 520 Ver. 5.3(2)
Outside Subnet - Public Internet Addressing
DMZ Subnet - Private Addressing 10.175.254.0/24
Client in DMZ Segment - 10.175.254.12
Normally for all outbound communications, DMZ clients are NAT-ed to the external Public Addressing via a global pool. For Inbound communications, they are Statically NAT-ed from the public subnet to the DMZ subnet.
Goal:
To conditionally NAT this DMZ client's outbound commmunications to a 10.254.44.12/24 address when he communicates to a specific host on the Internet. He still needs the ability to utilize the global public address space for all other outbound communications.
12-17-2001 04:33 PM
Robert,
I can not see that as a possible setting on the PIX. You can determine which host can setup outbound connections, but it is not possible to use different IP addresses for different traffic.
12-19-2001 10:52 PM
As far as I know the PIX is not capable of such a configuration. Besides, most internet providers will not route packets destined for addresses defined by RFC1918 (internal addresses).
12-20-2001 06:17 AM
This can actually be done in your perimeter router if it's a Cisco. You'd want to NAT 0 the DMZ client, but then setup a conditional static using a route-map in your perimeter router. It's a relatively new feature (introduced in 12.2(4)T). Check out http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftnatrt.htm for the details.
12-21-2001 07:48 AM
Policy based routing will work fine. However, there is still the issue of the source address being un-routable. (it is in the 10.0.0.0 network.)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: