cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
289
Views
0
Helpful
1
Replies

DMZ to DMZ traffic with NAT exemption

cristip
Level 1
Level 1

Hi all

I have the following configuratinon: PIX firewall 7.0 4 interfaces, (Inside, outside, DMZ1,DMZ2)

Inside private addresses 10.0.0.0/24 (security 100)

Outside public addresses 101.1.1.0/24 (security 0)

Remote branch 10.10.10.0/24

DMZ1 pirvate addresses 10.1.0.0/24 (security 50)

DMZ2 pirvate addresses 10.2.0.0/24 (security 90)

What I need is this:

inside to outside PAT on the external IP

DMZ1 to ouside PAT and some static (need to publish let's say SVR1 and SVR2 to outside world)

DMZ1 to DMZ2 nonat at all, bidirectional traffic

DMZ1 and DMZ2 to Remote LAN (branch) encrypted.

Here is what I implemented:

nat-control

global (outside) 1 interface

! access to the Internet

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz1) 1 0.0.0.0 0.0.0.0

nat (dmz2) 1 0.0.0.0 0.0.0.0

! nonat for VPN

nat (inside) 0 access-list nonat

! nonat for DMZ1 to DMZ2 and VPN DMZ1 to Remote LAN)

nat (dmz1) 0 access-list nonat

! nonat for VPN DMZ2 to Remote LAN)

nat (dmz2) 0 access-list nonat

!servers published on the OUTSIDE interface -coresponding access list not included

static (dmz1,outside) PublicIP1 SVR1 netmask 255.255.255.255

static (dmz1,outside) PublicIP2 SVR2 netmask 255.255.255.255

access-list nonat remark =====Encrypts traffic L2L VPN to an external branch=====

access-list nonat permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list nonat remark =====Encrypts traffic DMZ(1) to RemoteLAN VPN to an external branch=====

access-list nonat permit ip 10.1.0.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list nonat remark =====Encrypts traffic DMZ(2) to RemoteLAN VPN to an external branch=====

access-list nonat permit ip 10.2.0.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list nonat remark =====NAT Exemption DMZ1 to DMZ2 =====

access-list nonat permit ip 10.1.0.0 255.255.255.0 10.2.0.0 255.255.255.0

My problem is that the configuration is not working when it comes to DMZ1 to DMZ2 access.

Everything elese is working.

When I try to ping the something in DMZ1 from DMZ2 I get a connection denied.

What am I doing wrong ?

Thank you

Cristian

1 Reply 1

victorrodrigues
Level 1
Level 1

Hi Cristian,

I think you need to focus on these lines:

nat (dmz1) 0 access-list nonat

access-list no-nat

from where and to where are u trying to ping. your no-nat access-list will define what kinda traffic will be allowed to traverse dmz1-dmz2 without nat.

also , the traffic across the DMZs are on different subnets right? so i hope you have some routing enabled since they are now not being natted.

with that in mind. the hosts on either side of the DMZs should have their respective gateways set to the pix interfaces.

that being said, best ways to troubleshoot are Traceroute and watch the logs when u ping. post the output of the log if u wish and the traceroute info.

Vic

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: