Re: NAT and ACL on PIX (Basic Question)

daniel.bowen · ‎10-30-2006

Hi Everyone,

I currently have a PIX seperating a DMZ, Inside and Outside networks. I have a solution to implement where 2 servers are to be connected to the DMZ and 1 server connected to the internal LAN. Once connected, these servers cannot talk to each other. I have noticed in the old config that there are no NAT statements for DMZ machines talking to the inside network. There is a global NAT pool allowing up to 10 translations between internal and DMZ addresses, so this will take care of the traffic one way, but obviously not the other.

This is the proposal for my NAT configuration;

Global (outside) 1 1.1.1.10-1.1.1.20 netmask 255.255.255.192

Global (outside) 1.1.1.21 netmask 255.255.255.192

Static (dmz,inside) 10.0.0.52 10.1.0.52 netmask 255.255.255.0

Static (inside,dmz) 10.1.0.27 10.0.0.27 netmask 255.255.255.0

Static (inside,dmz) 10.1.0.31 10.0.0.31 netmask 255.255.255.0

Now as long as the traffic is permitted within the corresponding ACL?s on the inside and DMZ interface, then these servers should be able to communicate?

Could you please let me know if I am missing anything at all?

Many thanks,

Dan

a.kiprawih · ‎10-30-2006

I assumed the IP Addresses for your servers, instead of your network/subnet segment/ID:

DMZ Server: 10.0.0.52

Internal server#1: 10.1.0.27

Internal server#1: 10.1.0.31

What you need to do in order to specifically allow the DMZ server and 2 Internal servers to communicate is as follow:

Static (inside,dmz) 10.1.0.27 10.0.0.27 netmask 255.255.255.255

Static (inside,dmz) 10.1.0.31 10.0.0.31 netmask 255.255.255.255

This will be sufficient to allow Internal servers and DMZ server to talk to each other.

Remove the following line:

Static (dmz,inside) 10.0.0.52 10.1.0.52 netmask 255.255.255.0

If you haver ACL on both interfaces, make sure you allow the appropriate port(s) to pass through. Else, create test ACL that permit everything first before narrowing it down to specific port(s).

BTW, both 'global' parameters are good to allow either DMZ or Internal hosts to go out to internet/external network. I assumed you have 'nat' statement associated with the Global statements.

HTH

AK

daniel.bowen · ‎10-30-2006

Hi AK, and thanks for your response.

I have the following NAT statements.

nat (inside) 1 10.0.0.0 255.255.255.0 0 0

nat (dmz) 1 10.1.0.0 255.255.255.0 0 0

Currently my ACL's for inside and DMZ are permitting everything through, and these will be made more specific once I have identified what traffic is needed.

You said remove the following line;

Static (dmz,inside) 10.0.0.52 10.1.0.52 netmask 255.255.255.0

Is this not needed due to the security values on the interfaces?

Many thanks,

Dan

guibarati · ‎10-30-2006

You can create an static that allows the DMZ network to comunicate with the inside network without translation for the entire network, doing this:

pix(config)#static (inside,dmz) 1.1.1.0 1.1.1.0

Where the 1.1.1.0 is the inside network

should work once the access-list allows it..

a.kiprawih · ‎10-30-2006

Daniel,

The nat/global pair looks ok.

Based on the nat statements, looks like your internal network is running on 10.0.0.0/24, while DMZ is 10.1.0.0/24. But based on your static commands, it was the other way round. What's your inside and DMZ interface IP Addresses?

Referring to your first post combined with the above , your nat/global/static config should be as follow:

Global (outside) 1 1.1.1.10-1.1.1.20 netmask 255.255.255.192

Global (outside) 1.1.1.21 netmask 255.255.255.192

nat (inside) 1 10.0.0.0 255.255.255.0 0 0 -------> inside segment - 10.0.0.0/24

nat (dmz) 1 10.1.0.0 255.255.255.0 0 0 ---------> DMZ - 10.1.0.0/24

I have just tested your config, and it should work as follow:

*ACL test fr dmz-to-inside using telnet & ping

access-list inside1 permit icmp any any

access-list inside1 permit tcp host 10.0.0.52 host 10.1.0.27 eq telnet

access-list inside1 permit tcp host 10.0.0.52 host 10.1.0.31 eq telnet

access-list dmz1 permit icmp host 10.1.0.27 host 10.0.0.52

access-list dmz1 permit icmp host 10.1.0.31 host 10.0.0.52

access-list dmz1 permit tcp host 10.1.0.27 host 10.0.0.52 eq telnet

access-list dmz1 permit tcp host 10.1.0.31 host 10.0.0.52 eq telnet

global (outside) 1 1.1.1.10-1.1.1.20 netmask 255.255.255.192

global (outside) 1 1.1.1.21 netmask 255.255.255.192

nat (inside) 1 10.0.0.0 255.255.255.0 0 0

nat (dmz) 1 10.1.0.0 255.255.255.0 0 0

static (inside,dmz) 10.0.0.52 10.0.0.52 netmask 255.255.255.255 0 0 *

access-group inside1 in interface inside

access-group dmz1 in interface dmz

* also works with "static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0" as the ACL will control the access.

HTH

AK