Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How can I DISABLE NAT ONLY in a dmz interface??

I have 3 interfaces in a PIX 515, outside, inside and a dmz, I want to disable NAT in the dmz so that I can set a DNS server in the dmz and users in the outside and inside can "see" this server with his original IP address. In my outside interface i have a subnetted network (x.x.x.0/26) and in my dmz interface i have a subnetted network (x.x.x.128/28).

I want NAT in my inside and no NAT in my dmz, how can I do this?

Thanks

9 REPLIES
New Member

Re: How can I DISABLE NAT ONLY in a dmz interface??

Build a static to inself for the whole subnet.

i.e. If the inside is 10.1.1.0 255.255.255.0 Then build the following

static (inside,dmz) 10.1.1.0 10.1.1.0

New Member

Re: How can I DISABLE NAT ONLY in a dmz interface??

Hi,

Assume your DNS IP is 1.1.1.129 255.255.255.240

nat (dmz) 0 1.1.1.129 255.255.255.255

PIX will display a message

nat 0 1.1.1.129 will be non-tranlated.

nat (dmz) 0 0 0 will NOT tranalate any address in DMZ.

:-)

New Member

Re: How can I DISABLE NAT ONLY in a dmz interface??

Tell me if i'm wrong but i think you cannot NAT from lower security level network to a higher security level network (DMZ to Inside). But you can do the opposite (Inside to DMZ) and it's exactly what you need to leave inside users access the DNS directly.

Configure:

nat (inside) 0 0.0.0.0 0.0.0.0 x.x.x.128 255.255.255.240

x.x.x.128 is the subnet address for your DMZ.

For outside user to access your DNS in DMZ with public IP address, you should use this public IP address within the DMZ. Then, this means x.x.x.128/28 is a public address subnet instead of private one. But even if you use public IP address in DMZ, you should implement static & access-list to leave traffic passing from outside to DMZ.

For instance:

static (dmz,outside) x.x.x.129 x.x.x.129 netmask 255.255.255.255

access-list outsideinterface any host x.x.x.129 eq domain

access-group outsideinterface in interface outside

Hope this help you.

Ben

New Member

Re: How can I DISABLE NAT ONLY in a dmz interface??

Thank You,

It is the exact answer I was looking for!. Specially the parto of the acces from the inside to the DMZ interface.

bye

:)

swb
New Member

Re: How can I DISABLE NAT ONLY in a dmz interface??

Still if you like to use the same address from inside and outside, you need the alias command.

New Member

Re: How can I DISABLE NAT ONLY in a dmz interface??

the command nat (dmz) 0 x.x.x.128 255.255.255.240 will disable NAT on that interface. The inside users will have no problem hitting the DNS but a conduit statement need be in place for outside since the security ID will be from lower to higher.

New Member

Re: How can I DISABLE NAT ONLY in a dmz interface??

You should be able to set a static on the outside interface for the DMZ address of the DNS Server.

e.g static (dmz,outside) x.x.x.130 x.x.x.130 netmask 255.255.255.255 0 0

Set the conduits up as you would for any static. The PIX will route the x.x.x.128/28 traffic through to the DMZ. You'll need a global for the inside on the DMZ interface so inside users can talk to the DNS server. I've had to do this for other Servers including a SQL Server and an Oracle Enterprise Manager server that couldn't use NAT'ed IP's

New Member

Re: How can I DISABLE NAT ONLY in a dmz interface??

Thank you!

It was exactly the same case....

I solved the problem using the global command for the DMZ interface.

bye

New Member

Re: How can I DISABLE NAT ONLY in a dmz interface??

I have the same case. I have problems with resolutions. DNS resolve packets to the outside but not to the inside. WHY? I hope the DNS send to the inside users public IP resolutions (whith ALIAS not problem for that)but not working. I can find the DNS Server. With Scanner IP (inside)i see all services (DNS, Names, Www, ftp).

My config:

global (outside) 1 x.x.x.31-x.x.x.91 /25

global (outside) 1 x.x.x.92 /25

global (dmz) 1 192.168.1.31-192.168.1.91 /24

global (dmz) 1 192.168.1.92 /24

nat (inside) 1 0 0

Ist a DNS Server Software problem?

334
Views
0
Helpful
9
Replies