Host on DMZ with Public IP - Advice Please.

Purist1972 · ‎01-15-2007

I would be grateful if anyone can enlighten me with regards to placing a server with a public IP within a DMZ on a PIX.

I am relatively familar with static translations, those mapping public IPs to internal hosts but I have never had a host within a DMZ with a public IP.

I used the command;

static (dmz1,outside) 82.7.58.234 82.7.56.234 netmask 255.255.255.255

combined with an ACL on the outside interface to allow connections in.

However after doing this the server does not seem reachable. The DMZ interface IP is 172.25.1.1 and I am scratching my head as to whether it is routing.

I was expecting the PIX to have the intelligence to know that the server was on the DMZ due to the static statement and just map straight to it - maybe I am wrong??

Is there anything else I need to add ? Do I need to 'nat (dmz1) 0 82.7.58.234' ?

Collin Clark · ‎01-15-2007

With the static you have in place, your routing the IP, not translating it. Since the server has an IP of 172.25.1.1, you'll need a different translation.

static (dmz1,outside) 82.7.58.234 172.25.1.1 netmask 255.255.255.255

HTH and please rate.

gecko2207 · ‎01-15-2007

So I am unclear here. Are you trying to static a public address to another public address?

In my experience, I would put the host on the DMZ network (say 172.25.1.100) and then static to that (ie. static (dmz1,outside) 82.7.58.234 172.25.1.100 netmask 255.255.255.255 ) then you could do nat (dmz1) 1 0.0.0.0 0.0.0.0

Hope this helps,

Brandon

sundar.palaniappan · ‎01-15-2007

Donald,

You need to do something like Brandon suggested above. Firewall aside, you can't have a device on a subnet that's different from the gateway's (fw) subnet as they can't talk to each other. Hence, your server can't be on a public NET while the DMZ subnet, the server physically resides on, is on a private NET as it would break IP communication between the firewall and the server.

HTH

Sundar