topic Re: Route without NAT between DMZs on PIX in Network Security

Route without NAT between DMZs on PIX

mreed — Mon, 11 Mar 2019 11:27:40 GMT

I have 4 active interfaces on my PIX 520, Outside, Inside, DMZ1BU, and DMZ2BU. Inside, DMZ1BU and DMZ2BU can nat to outside just fine, everything on the DMZ has a static mapping to and Outside IP Address. I'm trying to route between the two DMZs and just can't get it to work. Here is the cut of the relevant part of the config.

interface ethernet0 100full

interface ethernet1 100full

interface ethernet4 auto

interface ethernet5 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet4 DMZ2BU security50

nameif ethernet5 DMZ1BU security40

...

access-list nonat_dmz1 permit ip host 10.10.15.151 host 10.10.12.145

access-list nonat_dmz2 permit ip host 10.10.12.145 host 10.10.15.151

...

ip address outside x.y.z.3 255.255.255.0

ip address inside 192.168.254.1 255.255.255.0

ip address DMZ2BU 10.10.12.1 255.255.255.0

ip address DMZ1BU 10.10.15.1 255.255.255.0

ip verify reverse-path interface outside

...

global (outside) 1 x.y.z.5

nat (outside) 0 access-list outside_nat0_inbound outside

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (itf3) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ2BU) 0 access-list nonat_dmz2

nat (DMZ2BU) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ1BU) 0 access-list nonat_dmz1

nat (DMZ1BU) 1 0.0.0.0 0.0.0.0 0 0

static (DMZ1BU,outside) x.y.z.151 10.10.15.151 netmask 255.255.255.255 0 0

static (DMZ2BU,outside) x.y.z.170 10.10.12.145 netmask 255.255.255.255 0 0

access-group acl_outside in interface outside

access-group acl_dmz2 in interface DMZ2BU

access-group acl_dmz1 in interface DMZ1BU

route outside 0.0.0.0 0.0.0.0 x.y.z.1 1

I really think systems on DMZ1 and DMZ2 should be able to ping each other without NATing with this config, but it doesn't work. Am I missing something really obvious? I'm attaching the full config in case there in information not here that is needed.

Thank you for your assistance. I've been searching online and everything I've found leads me to beleive my config is correct.

Re: Route without NAT between DMZs on PIX

acomiskey — Fri, 19 Oct 2007 18:16:53 GMT

Try this instead of the nat 0 commands...

no nat (DMZ1BU) 0 access-list nonat_dmz1

no nat (DMZ2BU) 0 access-list nonat_dmz2

static (DMZ2BU,DMZ1BU) 10.10.15.0 10.10.15.0 netmask 255.255.255.0

Re: Route without NAT between DMZs on PIX

mreed — Fri, 19 Oct 2007 18:23:56 GMT

I had tried that also, although I did do it the other way around with static (DMZ1BU,DMZ2BU) 10.10.12.0 10.10.12.0 netmask 255.255.255.0, and it did not work either. I just tried it with your exacty commands and 10.10.12.145 could still not ping 10.10.15.151.

Do I need to clear xlate after making this change? I've looked at the xlate table and don't see any entries for this. I hate doing a full xlate table clear during the day.

Re: Route without NAT between DMZs on PIX

mreed — Fri, 19 Oct 2007 18:25:08 GMT

One more thing in case it matters to someone I am using PIX version 6.3(5) and this is a PIX 520.

Re: Route without NAT between DMZs on PIX

acomiskey — Fri, 19 Oct 2007 18:27:50 GMT

You have not allowed icmp replies back into the DMZ1 interface....

access-list acl_dmz1 permit icmp any any echo-reply

access-list acl_dmz1 permit icmp any any

Re: Route without NAT between DMZs on PIX

mreed — Fri, 19 Oct 2007 18:36:44 GMT

Duh, I just had the IP any any and totally forgot about ICMP. Unfortunatly that still hasn't resolved the issue. After adding this to the access-list I tried it both with the nat 0 option and your static mapping and it still doesn't work either way.

Thank you for your assistance so far by the way.

Re: Route without NAT between DMZs on PIX

acomiskey — Fri, 19 Oct 2007 18:40:03 GMT

No problem, did you also add...?

access-list acl_dmz2 permit icmp any any

Re: Route without NAT between DMZs on PIX

mreed — Fri, 19 Oct 2007 18:46:27 GMT

I did add it to both. Interestingly the hitcount is not going up on them when performing a ping.

Re: Route without NAT between DMZs on PIX

acomiskey — Fri, 19 Oct 2007 18:54:29 GMT

Weird, this shouln't be this hard. Want to post the new updated config?

Re: Route without NAT between DMZs on PIX

mreed — Fri, 19 Oct 2007 19:10:21 GMT

Yay, its not just me. I've done this before and just couldn't figure out what I'm missing this time.

Re: Route without NAT between DMZs on PIX

acomiskey — Fri, 19 Oct 2007 19:19:23 GMT

Sorry, that's my bad, I was reading too fast...

no static (DMZ2BU,DMZ1BU) 10.10.15.0 10.10.15.0 netmask 255.255.255.0 0 0

static (DMZ2BU,DMZ1BU) 10.10.12.0 10.10.12.0 netmask 255.255.255.0 0 0

clear xlate

Re: Route without NAT between DMZs on PIX

mreed — Fri, 19 Oct 2007 19:37:33 GMT

Done, unfortunatly still no dice.

Re: Route without NAT between DMZs on PIX

acomiskey — Fri, 19 Oct 2007 19:40:43 GMT

That's crazy. Time to start logging on the pix when you try to ping. You are trying to ping from 10.10.12.x to 10.10.15.x right. Try to get some logging going to see what the pix is saying as you ping.

Re: Route without NAT between DMZs on PIX

mreed — Fri, 19 Oct 2007 20:06:09 GMT

Hmm, ok, doing a debug icmp trace if I ping from 10.10.12.145 to 198.6.1.4 on the outside I see all the records and it looks fine, which is good because that works. But if from 10.10.12.145 I ping 10.10.15.151, there is no record in the debug, none at all.

The only thing that I can think of is that all of these servers have static mapping to outside. Does that superseed the static (dmz1bu,dmz2bu) ... and the nat 0 lines because it comes first?

Re: Route without NAT between DMZs on PIX

slayerhawk — Wed, 14 May 2008 17:18:36 GMT

Did you ever figure this out? I have a similar issue and am confused.