nat issue

cfajardo1_2 · ‎12-05-2005

i have a firewall with 2 dmz, making it 4 interfaces in total. The requirement is that, nat 0 must be implemented from any higher security level to lower security level interfaces except the OUTSIDE interface, where it should be NATed.

INSIDE TO DMZ1----NAT 0

INSIDE TO DMZ2----NAT 0

DMZ1 TO DMZ2 -----NAT 0

INSIDE/DMZ1/DMZ2 TO OUTSIDE----NAT 1

note that i need to do access-list in all directions.

How could i achieve this?

thanks a lot.

nkhawaja · ‎12-05-2005

You have to do NAT 0 with ACL. a simple NAT0 will result in NAT0 being implemented in all directions.

You can have NAT0 along with NAT/Global or Static statements from inside/outside, since NAT/Global and Static are preferred over NAT0, it can work out, but better to use NAT0 with ACL

in the ACL you have to define your source and destination IP addresses.

e.g. source IP is inside and destination IP is DMZ1, DMZ2

Thanks

Nadeem

cfajardo1_2 · ‎12-05-2005

ive done something like this

access-list xxx permit ip IP_inside IP_dmz1

access-list xxx permit ip IP_inside IP_dmz2

access-list xxx permit ip IP_dmz1 IP_dmz2

access-group in interface inside

nat (inside) 0 aceess-list xxx

my problem now is to how to add another access-list, say from inside to outside (which is the internet) and which has to have an address translation (not a nat 0)

nkhawaja · ‎12-05-2005

first, i hope you are not using the same access-list xxx in this statement

access-group in interface inside, right?

second: you dont need to specify another access-list for inside to outside , all you need is define your static translation or nat/global

e.g.

static (insdie,outside) publicIP privateIP

or

nat (inside) 1 0 0

global (outside) 1 publicIP or global (outside) 1 interface

thanks

Nadeem

cfajardo1_2 · ‎12-06-2005

ive already done your below suggestion;

nat (inside) 1 0 0

global (outside) 1 publicIP or global (outside) 1 interface

but still no communication to public. Isnt it i need to have an access-list on the inside allowing inside network to go public since there is already an existing access-list permiting them to go only to the dmz?

jackko · ‎12-06-2005

i guess the issue could be resolved in a much more efficient way providing you post the entire config with public ip masked.

cfajardo1_2 · ‎12-06-2005

please see attached...

nkhawaja · ‎12-06-2005

just take out this command

access-group inside2dmzuser2dmzexch in interface inside

it should be fine.

thanks

cfajardo1_2 · ‎12-06-2005

you mean its not necessary to have access-group in an access-list and use it with the nat command only?

ill try that.

nkhawaja · ‎12-06-2005

no it is not necessary for the inside interface

so the reason you have to have the nat0 with ACL is due to the fact that you want to do NAT0 from inside/dmz1

inside/dmz2 but not from inside/outside

ACL primarliy are used for restricting traffic. e.g. from dmz1 to inside communication you have to have an ACL (this ACL is to be different from the ACL you are using in NAT0)

you can also use static (inside,dmz1) and stateic (inside,dmz2)

that will do the same purpose as NAT0 with ACL

ACLs are needed to allow traffic from lower security level to higher security level.

e.g. from outside to inside

or from dmz1 to inside

but from dmz1 to outside no ACL needed

same for inside to dmz2 or inside to dmz1

thanks

cfajardo1_2 · ‎12-07-2005

Thanks a lot fro that. My internet is now working after i removed the access-group binded on my inside interface.

But now how can i restrict traffic bounded for the internet. I simply want something like if the traffic is an http or pop3 and if the destination is not belonging to any of the pix subnet, then take me out to the outside.