Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
256
Views
0
Helpful
2
Replies

PIX NAT and Static Question

jeff
Level 1
Level 1

‎12-04-2003 08:23 AM - edited ‎02-20-2020 11:08 PM

We have a PIX 515e that we are going to install soon. The unit has 6 interfaces and 4 of them will be used. The FOS version is 6.3. NAT will be disabled on all interfaces. We will have the outside (security level 0), inside (level 100), DMZ (level 50) and DMZ2 (level 80). Each interface will have it's own subent with public addresses. I know how to turn NAT off on each interface, but I'm confused with regard to the situation we have.

aaa.bbb.59.0 255.255.255.248 network for outside

aaa.bbb.59.2 outside IP address

aaa.bbb.59.64 255.255.255.224 network for inside

aaa.bbb.59.65 inside IP Address

aaa.bbb.59.32 255.255.255.224 network for DMZ

aaa.bbb.59.33 DMZ IP address

aaa.bbb.59.96 255.255.255.224 network for DMZ2

aaa.bbb.59.97 DMZ2 IP address

The DMZ will have for now, one publicly accessible server. The one server having IP address aaa.bbb.59.35 will need port 53, 80 and 25 open inbound from the outside. The real problem I have is DMZ2 will have for now, another firewall on it that will do the NATing for the network behind it and has static translation on it for the public addresses to private hosts. For example, if an outside host needs to PCAnywhere to his workstation, he will PCAnywhere to aaa.bbb.59.107 and this firewall (a Unix server which is doing the translation) will translate that public IP to the inside private address. This server will be on the DMZ2 newtwork with the ip address of aaa.bbb.59.99.

Also the server in the DMZ with public address aaa.bbb.59.35 will need to forward port 25 to public address aaa.bbb.59.100 which is in the DMZ2 range but behind the Unix firewall and translated at the Unix firewall.

My question is, how do I setup the static and/or access-list to have those public addresses forward to the Unix firewall whether it be from the outside (such as the PCAnywhere example) or from the DMZ such as the public server forwarding port 25 packets to the public IP for a server behind the Unix firewall on DMZ2?

Thanks for any help.

Jeff

0 Helpful
2 Replies 2

jsivulka
Level 5
Level 5

‎12-10-2003 08:24 AM

The document 'Configuring NAT' explains NAT on the PIX with 2,3 and 4 interfaces and has a number of examples explaining the same. Best of luck.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/examples.htm

0 Helpful

jackko
Level 7
Level 7

‎12-10-2003 06:37 PM

change dmz2 80 to 20 (command: nameif)

with the level changes, the issue regarding to dmz server to dmz2 server with port 25 will be solved; without using any access-list.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card