PIX static NAT

tcherkon · ‎06-29-2006

hello!

Server A (ip=10.0.0.1) located at 'dmz1' and server B (ip=192.168.0.1) located at 'dmz2' shold communicate to each other.

which of the following commands completes the task?

1. static (dmz1,dmz2) 10.0.0.1 10.0.0.1 netmask 255.255.255.255

2. static (dmz2,dmz1) 192.168.0.1 192.168.0.1 netmask 255.255.255.255

Thank you!

grant.maynard · ‎06-29-2006

Can't tell - what are the security levels?

Remember the basic pix rules:

low security -> higher = static NAT (and ACL).

high -> low = "nat" & "global".

to avoid NAting static NAT goes:

static (high,low) real_IP real_IP .....

it's a bit diffrent if they are the same security level.

tcherkon · ‎06-29-2006

Hello Grant!

Thanks for your reply!

Security levels:

dmz1 = 10

dmz2 = 20

I've checked out the following.

1. When I type:

static (dmz2,dmz1) 192.168.0.1 192.168.0.1 netmask 255.255.255.255

B is able to establish connection to A

2. When I type

static (dmz1,dmz2) 10.0.0.1 10.0.0.1 netmask 255.255.255.255

B is not able to establish connection to A. Why?

hemendoz · ‎06-29-2006

You stated you have

Server A (ip=10.0.0.1) located at 'dmz1' LOWER SECURITY

and

Server B (ip=192.168.0.1) located at 'dmz2' HIGHER SECURITY

static (dmz2,dmz1) 192.168.0.1 192.168.0.1 netmask 255.255.255.255

will allow B to access A (You are natting dmz2 source 192.168.0.1 to source 192.168.0.1 when it exits dmz1 interface)

if you also want to to allow A to access B (that is A originates traffic)

you'll need to also include acl entry and apply to dmz1 interface

static (dmz1,dmz2) 10.0.0.1 10.0.0.1 netmask 255.255.255.255

this is destination nat which translate packets destined to 10.0.0.1 on dmz2 to 10.0.0.1 on dmz1

These two statements are very different.

HTH