Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX and nat rules

Gents,

I have pix 515e, 7.0(5), 3 interfaces: inside, outside, dmz.

We have the small public ip block zzz.

Please see the attachments, my config.

I can't connect to zzz.zzz.zzz.72 from inside. From outside all are ok. Why, where is the issue ?

Which order is appyling nat rules ?

Is it depend from nat_id number ?

If I change nat rules with nat_id 2 and 3 between theirs, I can't ping 10.30.4.111 from inside.

Thanks.

1 REPLY

Re: PIX and nat rules

The reason why you can't access zz.zz.zz.72 was due to the address mapping " static (dmz, inside) xxxx.... ". The DMZ to Outside mapping is ok.

You can't access the DMZ server from inside using that zz.zz.zz.72 address, as the address was meant for external/internet users accessing your internal/DMZ server.

In Firewall, any internal server that need to be accessed by external user need to be mapped with Public IP. To access servers in DMZ, you need to map inside subnet with DMZ.

In your case, what you need is to re-configure the PIX to allow inside host accessing DMZ server, to use either:

a. Option 1

global (dmz) 1 10.30.4.98-10.30.4.100 ---> dynamic range, or

global (dmz) 1 10.30.4.9x ---> single IP @ PAT

nat (inside) 1 10.30.4.80 255.255.255.240

access-list inside permit tcp any eq xxx -> you can also use 'IP' to replace tcp or udp

access-list inside permit udp any eq yyy

access-list inside deny ip any any

access-group inside in interface inside

b. Option 2

static (inside,dmz) 10.30.4.80 10.30.4.80 netmask 255.255.255.240

access-list inside permit tcp any eq xxx -> you can also use 'IP' to replace tcp or udp

access-list inside permit udp any eq yyy

access-list inside deny ip any any

access-group inside in interface inside

The advantage of Option 2 is it allows your internal/inside hosts to access DMZ server using DMZ server's original/physical IP. Same goes to DMZ hosts when they need to access inside hosts.

On DMZ, you can apply ACL allowing incoming/outgoing traffic as well.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1112434

Hope this helps.

Rgds,

AK

239
Views
0
Helpful
1
Replies
CreatePlease login to create content