topic Re: PIX 515e Static NAT/DMZ Issue in Network Security

PIX 515e Static NAT/DMZ Issue

pstebner1 — Mon, 11 Mar 2019 10:12:52 GMT

I have a 515e, 6.3(4) with an internal interface and a DMZ. The DMZ interface is 10.0.20.1 and the outside interface is 69.xxx.yyy.188/28

I have setup a web server which is currently the only device in the DMZ. I need to make a static mapping to this box but for some reason I just can't get it to work. The web server's local address is 10.0.20.100 and the public address that I need to statically map it to is 69.xxx.yyy.187/28

Here's my config so far:

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside 69.xxx.yyy.188 255.255.255.240

ip address inside 192.168.20.1 255.255.255.0

ip address dmz 10.0.20.1 255.255.255.0

access-list dmz_in permit ip any any

access-list outside_in permit ip host 69.xxx.yyy.187 any

global (outside) 1 interface

global (dmz) 1 10.0.20.110-10.0.20.120

nat (inside) 1 Inside_LAN 255.255.255.0 0 0

nat (dmz) 1 dmz 255.255.255.0 0 0

static (outside,dmz) 10.0.20.100 69.xxx.yyy.187 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

access-group dmz_in in interface dmz

I have the access-lists open for troubleshooting purposes... The global (dmz) statement is temporary so that I can access the DMZ from my inside network.

Any help would be greatly appreciated.

Thanks,

Paul

Re: PIX 515e Static NAT/DMZ Issue

PDEdwards — Fri, 11 May 2007 14:07:15 GMT

Paul

You need to make the static mapping from the high security to low security interface:

i.e

static (dmz,outside) 69.xx.yy.187 10.0.20.100 netmask 255.255.255.255

As you are allowing access from a low to high security interface you need an acl which should go as follows:

access-list outside_in permit ip any host 69.xx.yy/187

Above allows access from any ip to your web server.

Regds

Re: PIX 515e Static NAT/DMZ Issue

pstebner1 — Fri, 11 May 2007 14:20:02 GMT

Thanks for the reply-

I actually got that line wrong in my posting. I do have static (dmz,outside) and not the other way around.

I did change my access list, as you were correct with that, but it still does not work. The access-list doesn't show any hits, either.

Any other suggestions?

Thanks,

Paul

Re: PIX 515e Static NAT/DMZ Issue

acomiskey — Fri, 11 May 2007 14:29:40 GMT

Post you new config.

Re: PIX 515e Static NAT/DMZ Issue

pstebner1 — Fri, 11 May 2007 14:37:00 GMT

Here is the newer config:

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside 69.xxx.yyy.188 255.255.255.240

ip address inside 192.168.20.1 255.255.255.0

ip address dmz 10.0.20.1 255.255.255.0

access-list dmz_in permit ip any any

access-list outside_in permit ip any host 69.xxx.yyy.187

global (outside) 1 interface

global (dmz) 1 10.0.20.110-10.0.20.120

nat (inside) 1 Inside_LAN 255.255.255.0 0 0

nat (dmz) 1 dmz 255.255.255.0 0 0

static (dmz,outside) 69.xxx.yyy.187 10.0.20.100 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

access-group dmz_in in interface dmz

Re: PIX 515e Static NAT/DMZ Issue

acomiskey — Fri, 11 May 2007 14:51:06 GMT

Nothing wrong there, clear xlate?

Re: PIX 515e Static NAT/DMZ Issue

pstebner1 — Fri, 11 May 2007 14:55:07 GMT

Did it. Still no dice. That's why I'm so confused!

Re: PIX 515e Static NAT/DMZ Issue

acomiskey — Fri, 11 May 2007 15:26:00 GMT

Have you tried using the interface ip instead just to see if that works.

access-list outside_in permit ip any interface outside

static (dmz,outside) interface 10.0.20.100 netmask 255.255.255.255 0 0

Re: PIX 515e Static NAT/DMZ Issue

pstebner1 — Fri, 11 May 2007 15:33:36 GMT

This PIX is actually in production right now, and there's no chance that I can do that, at least during business hours...

Re: PIX 515e Static NAT/DMZ Issue

acomiskey — Fri, 11 May 2007 15:51:41 GMT

You are trying to hit 69.xxx.yyy.187 from outside the firewall right?

Re: PIX 515e Static NAT/DMZ Issue

pstebner1 — Fri, 11 May 2007 16:22:18 GMT

Yes. I'm not THAT much of a newbie!

When inside of the network, however, I notice that as soon as I put in the static command the server loses internet access. It works fine with PAT, but of course then it isn't accessible from the outside.

Re: PIX 515e Static NAT/DMZ Issue

acomiskey — Fri, 11 May 2007 16:26:19 GMT

Haha, no offense you never know who you're dealing with. There was a similar post here within the last few days. I believe it was an arp issue on the isp router. Something to consider.

Re: PIX 515e Static NAT/DMZ Issue

Jon Marshall — Fri, 11 May 2007 16:40:44 GMT

It shouldn't make a difference but you do have overlapping NAT statements ie

global (outside) 1 interface

nat (dmz) 1 dmz 255.255.255.0 0 0

static (dmz,outside) 69.xxx.yyy.187 10.0.20.100 netmask 255.255.255.255 0 0

If the web server is the only device in the DMZ could you not just remove your

nat(dmz) 1 dmz 255.255.255.0 0 0 statement.

Jon

Re: PIX 515e Static NAT/DMZ Issue

pstebner1 — Fri, 11 May 2007 16:59:09 GMT

Yeah, I know. I had that there because if I remove the static statement then I can get internet access on the box.

One thing that I just noticed - not sure if it makes a difference - on my internet router if I do a sh ip arp I see the arp from .187 as being incomplete.

Any thoughts?

Re: PIX 515e Static NAT/DMZ Issue

pstebner1 — Fri, 11 May 2007 19:19:34 GMT

Mr. Comiskey-

Thanks for all of your help. You actually pointed me in the right direction to find the answer: The other guy that had this issue fixed it by turning on proxyarp. Worked for me too.

no sysopt noproxyarp outside

There it was, all along.

Thanks, guys

Paul