cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1076
Views
3
Helpful
9
Replies

PIX 515E 6.3 NAT Question

paulstone80
Participant
Participant

Hi,

I'm having some issues trying to get connectivity from the inside to the DMZ on a PIX515 (6.3).

Here's the scenario (diagram attached).

Inside interface IP: 10.44.181.235/23

DMZ interface IP: 172.31.255.254/24

There is a server in the DMZ with an IP of 172.31.255.250.

The DMZ network routes are not to be published. To access the server, clients on the inside network must target an IP on the local subnet, which has been provided as 10.44.181.236, so a static NAT is required.

The internal networks must remain hidden from the server in the DMZ.

I think i'm approaching the NAT all wrong, but not sure what's the correct way to configure it.

Config below:

PIX Version 6.3(5)

interface ethernet0 auto shutdown

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

hostname PIX01

names

access-list acl_dmz_in permit ip any any

access-list acl_dmz_in permit icmp any any

access-list acl_inside_in permit icmp any any

access-list acl_inside_in permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

no ip address outside

ip address inside 10.44.181.235 255.255.254.0

ip address dmz 172.31.255.254 255.255.255.0

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

static (dmz,inside) 10.44.181.236 172.31.255.250 netmask 255.255.255.255 0 0

access-group acl_inside_in in interface inside

access-group acl_dmz_in in interface dmz

route inside 0.0.0.0 0.0.0.0 10.44.180.250 1

   

Thanks,

Paul

HTH Paul ****Please rate useful posts****
9 Replies 9

Jouni Forss
Mentor
Mentor

Hi,

The attachements arent currently working on the forums for some reason. I wonder if you can just simply copy a screencapture of the picture and copy/paste it directly to the post/reply.

I guess if you are looking for an option to the above NAT you could consider Policy NAT

access-list DMZ-SERVER-POLICYNAT permit ip host 172.31.255.250 10.44.180.0 255.255.254.0

or

access-list DMZ-SERVER-POLICYNAT permit ip host 172.31.255.250 any

static (dmz,inside) 10.44.181.236 access-list DMZ-SERVER-POLICYNAT

I'm not 100% sure if it will work. Dont remember if the old softwares had their own limitations. Use them very rarely nowadays.

- Jouni

Hi Jouni,

Thanks for your feedback, the diagram was really just to illustrate what I wrote in the post.

I got the nat working from inside to dmz, by using:

global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,inside) 10.44.181.236 172.31.255.250 netmask 255.255.255.255 0 0

I can ping 172.31.255.250 and it replies with 10.44.181.236, and I can also ping 10.44.181.236.

I haven't managed to get traffic that's initiated from the dmz to the inside to work yet.

Thanks,

Paul

HTH Paul ****Please rate useful posts****

Hi,

The configuration above that you bolded will only create a PAT translation for traffic entering from "inside" to "dmz". Traffic to the "dmz" server will be using the "dmz" interface IP address as the PAT address.

To my understanding the Policy NAT configuration I pasted above should work for both directions.

What it should do is:

  • When "dmz" host initiates connections to the network 10.44.180.0/23 it will translate to the specified IP address of 10.44.181.236
  • In the same way if a host on "inside" network 10.44.180.0/23 initiates connections towards the host address 10.44.181.236 it should forward the traffic to the "dmz" host.
  • So it should make it possible to initiate connections from either side. The ACL version (destination addres/network(s) used) will specify for what traffic the Policy NAT applies

Atleast that is how it should work to my understanding. If you happen to try the Policy NAT I would suggest removing the existing NAT.

If it doesnt work possibly check "show xlate" to see if there is some old Xlate still in use that needs to be cleared.

- Jouni