Currently we have a PIX 515 6.2(2) that has the three interfaces, inside, outside, dmz1. Private addresses are used on both the inside and dmz1 networks while the outside has public addresses. Static nat is used to make our server on the inside/dmz1 visable on the outside.
global (outside) 1 1xx.x.x.69-1xx.x.x.71
global (outside) 1 1xx.x.x.72
nat (inside) 0 access-list vpntunnel_nonat
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
nat (dmz) 0 access-list dmz1_nonat
nat (dmz) 1 172.23.67.0 255.255.255.0 0 0
We have recently purchased a PIX 515E 6.2(2) that has 6 interfaces, though we're only using the four; we needed a second dmz. The new dmz runs at a higher security level. The dmz has a block of public addresses, what method would you use to make them accessible from the outside? Presumably you'd disable nat. We've got the one global pool that is used to access the outside from the inside network, is it possible to use them when accessing dmz2 from the inside. And for accessing dmz1 from dmz2, is it simply a case of adding more static nat's???
One last question, what is the prefered method for accessing the dmz1 from the inside when www.mycompany.com resolves to a public IP address?
This will take every private address and map it to an equivalent public address. (ex. 192.168.1.1 -> 2xx.x.x.1, 192.168.1.52 -> 2xx.x.x.52) Just be sure the masks match.
Then you would just make the appropriate ACLs or conduit's to permit access from the outside to the new DMZ and if necessary from old DMZ to the new one.
You don't need to nat to public addresses when accessing any of your dmz if you don't want to. In my case, internal host access the dmz via their private IP because if they were to be NATed to go to the DMZ, they grab another address from our NAT pool so you have 1 host using 1 IP for the Internet and a different one for the DMZ. I try to keep 1-to-1 NAT but then I do have a PAT address at the end for when all NAT addresses are exhausted. Plus we use VLANs internal ly and it makes it easier for reading logs because we know what VLANs traffic came from. That's done simply by a:
To get from dmz1 to dmz2 (since dmz2 has higher security, you need a static nat and conduit/acl)
For your last question, I don't have something like that set up, but since your NATing to your public pool to get to your dmz1 anyway, then the fact that it's a public IP shouldn't matter. You should go out as one of your publics to your staticly mapped dmz1addresses and it should work fine. I think.... :)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...