cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
413
Views
3
Helpful
1
Replies

Disable IP address translation between the DMZ and Inside network?

otnj2ee
Level 1
Level 1

Assume a network topology is like this:

A PIX with 3 interfaces:

inside interface (private static IP of 10.10.10.1)

outside interface (public static IP of 69.110.38.35)

DMZ interface (private static IP of 30.30.30.1)

The internal clients (private static IP of 10.10.10.3 - 10.10.10.30) is located in the internal LAN

It is said: "Usually you disable Network address translation between the DMZ and Inside network".

1) Why do I need to disable the IP address translation between the DMZ and Inside network?

2) What is the CML statement to achieve so (example)?

Thanks to help.

Scott

1 Reply 1

wyatts
Level 1
Level 1

1. You only normally need to nat if you have overlapping IPs or PAT if you want to conserve public IPs.

2.

access-list no_nat_2_dmz permit ip 10.10.10.0 255.255.255.224 30.30.30.0 255.255.255.0

access-list no_nat_2_Inside permit ip 30.30.30.0 255.255.255.0 10.10.10.0 255.255.255.224

static (Inside,DMZ) 10.10.10.0 10.10.10.0 netmask 255.255.255.224

nat (Inside) 0 access-list no_nat_2_dmz

nat (DMZ) 0 access-list no_nat_2_Inside

or something to that effect. nat with a number of 0 does not nat those IPs stated in the access-list that you specify.

The static command allows your DMZ to access your Inside network. You probably want to specify certain IPs and services in static commands instead of just globbing everything together and allowing it. This command works, but kinda defeats one of the purposes of a DMZ.

Note that the nat commands aren't even needed if you don't have :

global (Inside)

global (DMZ)

as the global commands are needed to NAT

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: