Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
404
Views
0
Helpful
1
Replies

PIX and nat rules

mskaelita
Level 1
Level 1

‎05-22-2006 10:58 AM - edited ‎02-21-2020 12:55 AM

Gents,

I have pix 515e, 7.0(5), 3 interfaces: inside, outside, dmz.

We have the small public ip block zzz.

Please see the attachments, my config.

I can't connect to zzz.zzz.zzz.72 from inside. From outside all are ok. Why, where is the issue ?

Which order is appyling nat rules ?

Is it depend from nat_id number ?

If I change nat rules with nat_id 2 and 3 between theirs, I can't ping 10.30.4.111 from inside.

Thanks.

Preview file
7 KB
0 Helpful
1 Reply 1

a.kiprawih
Level 7
Level 7

‎05-23-2006 12:26 AM

The reason why you can't access zz.zz.zz.72 was due to the address mapping " static (dmz, inside) xxxx.... ". The DMZ to Outside mapping is ok.

You can't access the DMZ server from inside using that zz.zz.zz.72 address, as the address was meant for external/internet users accessing your internal/DMZ server.

In Firewall, any internal server that need to be accessed by external user need to be mapped with Public IP. To access servers in DMZ, you need to map inside subnet with DMZ.

In your case, what you need is to re-configure the PIX to allow inside host accessing DMZ server, to use either:

a. Option 1

global (dmz) 1 10.30.4.98-10.30.4.100 ---> dynamic range, or

global (dmz) 1 10.30.4.9x ---> single IP @ PAT

nat (inside) 1 10.30.4.80 255.255.255.240

access-list inside permit tcp any eq xxx -> you can also use 'IP' to replace tcp or udp

access-list inside permit udp any eq yyy

access-list inside deny ip any any

access-group inside in interface inside

b. Option 2

static (inside,dmz) 10.30.4.80 10.30.4.80 netmask 255.255.255.240

access-list inside permit tcp any eq xxx -> you can also use 'IP' to replace tcp or udp

access-list inside permit udp any eq yyy

access-list inside deny ip any any

access-group inside in interface inside

The advantage of Option 2 is it allows your internal/inside hosts to access DMZ server using DMZ server's original/physical IP. Same goes to DMZ hosts when they need to access inside hosts.

On DMZ, you can apply ACL allowing incoming/outgoing traffic as well.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1112434

Hope this helps.

Rgds,

AK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card