cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1009
Views
0
Helpful
9
Replies

How can I DISABLE NAT ONLY in a dmz interface??

iscoro
Level 1
Level 1

I have 3 interfaces in a PIX 515, outside, inside and a dmz, I want to disable NAT in the dmz so that I can set a DNS server in the dmz and users in the outside and inside can "see" this server with his original IP address. In my outside interface i have a subnetted network (x.x.x.0/26) and in my dmz interface i have a subnetted network (x.x.x.128/28).

I want NAT in my inside and no NAT in my dmz, how can I do this?

Thanks

9 Replies 9

HEATH FREEL
Level 1
Level 1

Build a static to inself for the whole subnet.

i.e. If the inside is 10.1.1.0 255.255.255.0 Then build the following

static (inside,dmz) 10.1.1.0 10.1.1.0

cshanmugam
Level 1
Level 1

Hi,

Assume your DNS IP is 1.1.1.129 255.255.255.240

nat (dmz) 0 1.1.1.129 255.255.255.255

PIX will display a message

nat 0 1.1.1.129 will be non-tranlated.

nat (dmz) 0 0 0 will NOT tranalate any address in DMZ.

:-)

bdube
Level 2
Level 2

Tell me if i'm wrong but i think you cannot NAT from lower security level network to a higher security level network (DMZ to Inside). But you can do the opposite (Inside to DMZ) and it's exactly what you need to leave inside users access the DNS directly.

Configure:

nat (inside) 0 0.0.0.0 0.0.0.0 x.x.x.128 255.255.255.240

x.x.x.128 is the subnet address for your DMZ.

For outside user to access your DNS in DMZ with public IP address, you should use this public IP address within the DMZ. Then, this means x.x.x.128/28 is a public address subnet instead of private one. But even if you use public IP address in DMZ, you should implement static & access-list to leave traffic passing from outside to DMZ.

For instance:

static (dmz,outside) x.x.x.129 x.x.x.129 netmask 255.255.255.255

access-list outsideinterface any host x.x.x.129 eq domain

access-group outsideinterface in interface outside

Hope this help you.

Ben

Thank You,

It is the exact answer I was looking for!. Specially the parto of the acces from the inside to the DMZ interface.

bye

:)

Still if you like to use the same address from inside and outside, you need the alias command.

c.appe
Level 1
Level 1

the command nat (dmz) 0 x.x.x.128 255.255.255.240 will disable NAT on that interface. The inside users will have no problem hitting the DNS but a conduit statement need be in place for outside since the security ID will be from lower to higher.

jhllewellyn
Level 1
Level 1

You should be able to set a static on the outside interface for the DMZ address of the DNS Server.

e.g static (dmz,outside) x.x.x.130 x.x.x.130 netmask 255.255.255.255 0 0

Set the conduits up as you would for any static. The PIX will route the x.x.x.128/28 traffic through to the DMZ. You'll need a global for the inside on the DMZ interface so inside users can talk to the DNS server. I've had to do this for other Servers including a SQL Server and an Oracle Enterprise Manager server that couldn't use NAT'ed IP's

Thank you!

It was exactly the same case....

I solved the problem using the global command for the DMZ interface.

bye

I have the same case. I have problems with resolutions. DNS resolve packets to the outside but not to the inside. WHY? I hope the DNS send to the inside users public IP resolutions (whith ALIAS not problem for that)but not working. I can find the DNS Server. With Scanner IP (inside)i see all services (DNS, Names, Www, ftp).

My config:

global (outside) 1 x.x.x.31-x.x.x.91 /25

global (outside) 1 x.x.x.92 /25

global (dmz) 1 192.168.1.31-192.168.1.91 /24

global (dmz) 1 192.168.1.92 /24

nat (inside) 1 0 0

Ist a DNS Server Software problem?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: