I have 3 interfaces in a PIX 515, outside, inside and a dmz, I want to disable NAT in the dmz so that I can set a DNS server in the dmz and users in the outside and inside can "see" this server with his original IP address. In my outside interface i have a subnetted network (x.x.x.0/26) and in my dmz interface i have a subnetted network (x.x.x.128/28).
I want NAT in my inside and no NAT in my dmz, how can I do this?
Build a static to inself for the whole subnet.
i.e. If the inside is 10.1.1.0 255.255.255.0 Then build the following
static (inside,dmz) 10.1.1.0 10.1.1.0
Assume your DNS IP is 188.8.131.52 255.255.255.240
nat (dmz) 0 184.108.40.206 255.255.255.255
PIX will display a message
nat 0 220.127.116.11 will be non-tranlated.
nat (dmz) 0 0 0 will NOT tranalate any address in DMZ.
Tell me if i'm wrong but i think you cannot NAT from lower security level network to a higher security level network (DMZ to Inside). But you can do the opposite (Inside to DMZ) and it's exactly what you need to leave inside users access the DNS directly.
nat (inside) 0 0.0.0.0 0.0.0.0 x.x.x.128 255.255.255.240
x.x.x.128 is the subnet address for your DMZ.
For outside user to access your DNS in DMZ with public IP address, you should use this public IP address within the DMZ. Then, this means x.x.x.128/28 is a public address subnet instead of private one. But even if you use public IP address in DMZ, you should implement static & access-list to leave traffic passing from outside to DMZ.
static (dmz,outside) x.x.x.129 x.x.x.129 netmask 255.255.255.255
access-list outsideinterface any host x.x.x.129 eq domain
access-group outsideinterface in interface outside
Hope this help you.
It is the exact answer I was looking for!. Specially the parto of the acces from the inside to the DMZ interface.
the command nat (dmz) 0 x.x.x.128 255.255.255.240 will disable NAT on that interface. The inside users will have no problem hitting the DNS but a conduit statement need be in place for outside since the security ID will be from lower to higher.
You should be able to set a static on the outside interface for the DMZ address of the DNS Server.
e.g static (dmz,outside) x.x.x.130 x.x.x.130 netmask 255.255.255.255 0 0
Set the conduits up as you would for any static. The PIX will route the x.x.x.128/28 traffic through to the DMZ. You'll need a global for the inside on the DMZ interface so inside users can talk to the DNS server. I've had to do this for other Servers including a SQL Server and an Oracle Enterprise Manager server that couldn't use NAT'ed IP's
I have the same case. I have problems with resolutions. DNS resolve packets to the outside but not to the inside. WHY? I hope the DNS send to the inside users public IP resolutions (whith ALIAS not problem for that)but not working. I can find the DNS Server. With Scanner IP (inside)i see all services (DNS, Names, Www, ftp).
global (outside) 1 x.x.x.31-x.x.x.91 /25
global (outside) 1 x.x.x.92 /25
global (dmz) 1 192.168.1.31-192.168.1.91 /24
global (dmz) 1 192.168.1.92 /24
nat (inside) 1 0 0
Ist a DNS Server Software problem?