static NAT of a dmz interface

zlabovic · ‎07-26-2006

Hello,

Is it possible to translate ip address of a dmz interface on PIX 6.3.5?

I have put the static configuration and have put acl to permit icmp any any but the host on the outside cannot ping the NATed dmz interface address.

mgaysek · ‎07-26-2006

I do not think it is possible to ping the DMZ interface from a source that exists behind any other interface. You might be able to get around this by using the management command and set the management interface to teh DMZ.

See below for usage.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#wp1137951

abdel_n · ‎07-27-2006

Hi,

By default PIX doesnt allow pinging its interfaces, to alow that try icmp command which configure access rules for ICMP traffic that terminates at an interface.

[no] icmp {permit | deny} ip_address net_mask [icmp_type] if_name

I hope this will help!

zlabovic · ‎07-27-2006

Hi,

I founf that command and applied it but no luck. I also tried with conduit command but same result.

abdel_n · ‎07-28-2006

Hi,

well it should work I guess something wrong with the static command or the access list

Here is an example of a very simple config i've just tried:

....R2.----.(fw).-----.R3

..inside.............outside

10.10.10.1........192.168.10.103

inside local of R2 = 10.10.10.1

inside global if R2 = 192.168.10.1

ip address outside 192.168.10.2 255.255.255.0

ip address inside 10.10.10.2 255.255.255.0

static (inside,outside) 192.168.10.1 10.10.10.1 netmask 255.255.255.255 0 0

access-group tointernal in interface outside

and it works even without icmp command!

here is the output of a telnet connection attempt from outside to inside:

========== from R3

R3#telnet 192.168.10.1

Trying 192.168.10.1 ... Open

User Access Verification

Password:

R2>en

Password:

R2#

pix(config)# exit

======= from the pix

pix# sh conn

1 in use, 1 most used

TCP out 192.168.10.103:11001 in 10.10.10.1:23 idle 0:00:13 Bytes 145 flags UIOB

pix# sh xlate

1 in use, 1 most used

Global 192.168.10.1 Local 10.10.10.1

pix# sh static

static (inside,outside) 192.168.10.1 10.10.10.1 netmask 255.255.255.255 0 0

pix# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list tointernal; 1 elements

access-list tointernal line 1 permit ip any any (hitcnt=6)

zlabovic · ‎07-29-2006

Thanx, but what you have done is not quite what I was asking.If I use your cnfiguration as an example, I was trying to ping 10.10.10.2 from R3 and that did not work. I was also wondering is it possible to do static translation of 10.10.10.2 (adress of pix inside interface) to, say, 192.168.10.102 and then to ping it from router R3?

abdel_n · ‎07-29-2006

Got it, so as mentioned by ?mgaysec? it?s not possible to ping one PIX interface from segment on another interface, you can ping only the closest PIX interface. The only exception is using management access tunnel and through IPSec tunnel only.

anand1871 · ‎07-29-2006

You can ping an interface of the pix only from addresses local to that interface.

So you can ping your DMZ interface only machines/networks connected to the DMZ of your PIX.

you wont be able to ping from other interfaces like INSIDE, Outside