cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
616
Views
0
Helpful
3
Replies

PIX / DMZ / NAT only outside

Robert_Berger
Level 1
Level 1

Hello,

I have a customer with following conditions:

Internet..

DMZ with 172.18.x.x

LAN with 10.x.x.x

There is a Proxy in the DMZ 172.x.x.x. The proxy see's all client with the DMZ Interface Address. The guys who config the pix says it comes from NAT and they can not handle this.

So my question: can they use a kind of "NAT outside" instead of "NAT inside".

so that network 10.x and 172.x are not nated but everything by outside...

Thanks Robert

3 Replies 3

chrclark
Level 1
Level 1

You can use a static command to create a 1-1 static address mapping with the inside address the same as the address on the DMZ. You are probably using a global command and a nat statement. You can use the static command and map 10.xx.xx.xx to 10.xx.xx.xx from inside to dmz instead.

static ( inside, dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

you will need to remove or change the nat statement.

Here is docs on the static statement.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/commands.htm#xtocid76

tvanginneken
Level 4
Level 4

What you can do is disable the nat translation from the inside to the dmz. The the proxy server will see the real addresses of the inside clients

access-list no_nat permit ip 10.x.x.x 255..0.0.0 172.18.x.x 255.255.0.0

nat (inside) 0 access-list no_nat

Kind Regards,

Tom

tvanginneken
Level 4
Level 4

This cisco document describes how to disable nating between two networks using an access-list that specifies the traffic that should not be natted:

http://www.cisco.com/warp/public/110/19.html#fourth

Kind Regards,

Tom

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: