Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
422
Views
0
Helpful
1
Replies

Configuring PIX DMZ

alitster
Level 1
Level 1

‎03-24-2003 09:21 AM - edited ‎02-20-2020 10:38 PM

Hi,

Currently we have a PIX 515 6.2(2) that has the three interfaces, inside, outside, dmz1. Private addresses are used on both the inside and dmz1 networks while the outside has public addresses. Static nat is used to make our server on the inside/dmz1 visable on the outside.

global (outside) 1 1xx.x.x.69-1xx.x.x.71

global (outside) 1 1xx.x.x.72

nat (inside) 0 access-list vpntunnel_nonat

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (dmz) 0 access-list dmz1_nonat

nat (dmz) 1 172.23.67.0 255.255.255.0 0 0

We have recently purchased a PIX 515E 6.2(2) that has 6 interfaces, though we're only using the four; we needed a second dmz. The new dmz runs at a higher security level. The dmz has a block of public addresses, what method would you use to make them accessible from the outside? Presumably you'd disable nat. We've got the one global pool that is used to access the outside from the inside network, is it possible to use them when accessing dmz2 from the inside. And for accessing dmz1 from dmz2, is it simply a case of adding more static nat's???

One last question, what is the prefered method for accessing the dmz1 from the inside when www.mycompany.com resolves to a public IP address?

Any advice much appreciated.

Regards,

Alan

0 Helpful
1 Reply 1

wagrjohn
Level 1
Level 1

‎03-24-2003 03:37 PM

You would just do a net static for your new dmz likeso:

static (dmz2,outside) Public-Block-Here.0 Public-Block-Here.0 netmask 255.255.255.0 0 0 (put the appropriate mask of course for your block)

and you can put those public IPs right on your servers

or...

If you still want to use privates on the new dmz servers (which I see no real security advantage to doing this, if someone does please tell me) you can do likeso:

static (dmz2,outside) Public-Block-Here.0 Private-Block-Here.0 netmask 255.255.255.0 0 0

This will take every private address and map it to an equivalent public address. (ex. 192.168.1.1 -> 2xx.x.x.1, 192.168.1.52 -> 2xx.x.x.52) Just be sure the masks match.

Then you would just make the appropriate ACLs or conduit's to permit access from the outside to the new DMZ and if necessary from old DMZ to the new one.

You don't need to nat to public addresses when accessing any of your dmz if you don't want to. In my case, internal host access the dmz via their private IP because if they were to be NATed to go to the DMZ, they grab another address from our NAT pool so you have 1 host using 1 IP for the Internet and a different one for the DMZ. I try to keep 1-to-1 NAT but then I do have a PAT address at the end for when all NAT addresses are exhausted. Plus we use VLANs internal ly and it makes it easier for reading logs because we know what VLANs traffic came from. That's done simply by a:

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

To get from dmz1 to dmz2 (since dmz2 has higher security, you need a static nat and conduit/acl)

For your last question, I don't have something like that set up, but since your NATing to your public pool to get to your dmz1 anyway, then the fact that it's a public IP shouldn't matter. You should go out as one of your publics to your staticly mapped dmz1addresses and it should work fine. I think.... :)

- John

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card