Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
0
Helpful
5
Replies

Help with understanding config

dan_track
Level 1
Level 1

‎04-25-2006 02:47 AM - edited ‎03-09-2019 02:43 PM

Hi

I've inherited a firewall and I can see the following inside it. What I don't understand is why are there static maps in the config if the dmz is not using nat. Could someone please explain thei to me, the config is listed below.

global (outside) 1 xxx.xxx.17.3

global (dmz) 1 xxx.xxx.17.19

nat (inside) 0 access-list 124

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 0 xxx.xxx.17.16 255.255.255.240 0 0

static (dmz,outside) tcp xxx.xxx.17.20 www xxx.xxx.17.20 www netmask 255.255.255.255 0 0

static (dmz,outside) tcp xxx.xxx.17.21 www xxx.xxx.17.21 www netmask 255.255.255.255 0 0

static (dmz,outside) tcp xxx.xxx.17.22 www xxx.xxx.17.22 www netmask 255.255.255.255 0 0

static (dmz,outside) tcp xxx.xxx.17.23 www xxx.xxx.17.23 www netmask 255.255.255.255 0 0

static (dmz,outside) tcp xxx.xxx.17.24 www xxx.xxx.17.24 www netmask 255.255.255.255 0 0

static (dmz,outside) tcp xxx.xxx.17.23 https xxx.xxx.17.23 https netmask 255.255.255.255 0 0

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (dmz,outside) xxx.xxx.17.25 xxx.xxx.17.25 netmask 255.255.255.255 0 0

static (dmz,outside) xxx.xxx.17.26 xxx.xxx.17.26 netmask 255.255.255.255 0 0

static (dmz,outside) xxx.xxx.17.28 xxx.xxx.17.28 netmask 255.255.255.255 0 0

static (dmz,outside) xxx.xxx.17.30 xxx.xxx.17.30 netmask 255.255.255.255 0 0

static (dmz,outside) xxx.xxx.17.27 xxx.xxx.17.27 netmask 255.255.255.255 0 0

Thanks in advance

Dan

Labels:
0 Helpful
5 Replies 5

aashish.c
Level 4
Level 4

‎04-25-2006 03:53 AM

hi dan,

as per the config , only "xxx.xxx.17.16 " is not getting NATed as it is NAT0. It doesn`t mean that whole DMZ is not getting NATed.

but other DMZ hosts are statically mapped to outside IP addresses to go out of the PIX.

hope this explains.

regards

aashish C

0 Helpful

dan_track
Level 1
Level 1
In response to aashish.c

‎04-26-2006 12:52 AM

Hi

Thanks for the reply.

Just to elaborate on my question. What advantage is there to statically mapping the IP addresses to the same IP address. What would happen if I removed those mappings?

Thanks again

Dan

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to dan_track

‎04-26-2006 04:29 AM

In fact the below instruction:

nat (dmz) 0 xxx.xxx.17.16 255.255.255.240 0 0 which covers any host xxx.xxx.17.17 - .30 covers all the below instructions already and they can be removed ..

static (dmz,outside) tcp xxx.xxx.17.20 www xxx.xxx.17.20 www netmask 255.255.255.255 0 0

static (dmz,outside) tcp xxx.xxx.17.21 www xxx.xxx.17.21 www netmask 255.255.255.255 0 0

static (dmz,outside) tcp xxx.xxx.17.22 www xxx.xxx.17.22 www netmask 255.255.255.255 0 0

static (dmz,outside) tcp xxx.xxx.17.23 www xxx.xxx.17.23 www netmask 255.255.255.255 0 0

static (dmz,outside) tcp xxx.xxx.17.24 www xxx.xxx.17.24 www netmask 255.255.255.255 0 0

static (dmz,outside) tcp xxx.xxx.17.23 https xxx.xxx.17.23 https netmask 255.255.255.255 0 0

static (dmz,outside) xxx.xxx.17.25 xxx.xxx.17.25 netmask 255.255.255.255 0 0

static (dmz,outside) xxx.xxx.17.26 xxx.xxx.17.26 netmask 255.255.255.255 0 0

static (dmz,outside) xxx.xxx.17.28 xxx.xxx.17.28 netmask 255.255.255.255 0 0

static (dmz,outside) xxx.xxx.17.30 xxx.xxx.17.30 netmask 255.255.255.255 0 0

static (dmz,outside) xxx.xxx.17.27 xxx.xxx.17.27 netmask 255.255.255.255 0 0

In regards to your question .. I have seen this way to do configure "nat" which tries to make a host located on a higher security zone (dmz) reachable to a host on a lower security zone ( outside ). The best way to do it is using nat0 in combination with an access-list i.e

nat (lower secutity zone) 0 access-list outbound-no-nat

access-list outbound-no-nat permit ip any

Please rate it if you find it helps

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to Fernando_Meza

‎04-26-2006 04:32 AM

I missed somehting on my previous post

In regards to your question .. I have seen this way to configure "nat" which tries to make a host located on a higher security zone (dmz) reachable to a host on a lower security zone ( outside ) USING ITS REAL IP ADDRESS. The best way to do it is using nat0 in combination with an access-list i.e

0 Helpful

csco10737353
Level 1
Level 1
In response to Fernando_Meza

‎04-26-2006 04:42 AM

Well as per my understanding this is the communication pattern between DMZ (higher security level) and outside (lowest security level). First of all let me tell you PIX needs NAT rule to creat Xlate to get created, if you do not want to NAT any ip add so you use a trick to nat your ip to itself, as its being happen in "static" command.

Secondly if you use nat (DMZ to outside) so you can only initiate session from DMZ not from outside.

Here STATIC command comes with the facility to make permanent Xlate like here from (DMZ to outside) that could be accessed from outside (if permit ACL is available on outside interface).

I think this can help you out that

* why use translate in the same ip

* why use multiple STATIC instead of single NAT Statment

0 Helpful
Customers Also Viewed These Support Documents