Solved: Re: PIX 515e Static NAT/DMZ Issue

pstebner1 · ‎05-11-2007

I have a 515e, 6.3(4) with an internal interface and a DMZ. The DMZ interface is 10.0.20.1 and the outside interface is 69.xxx.yyy.188/28

I have setup a web server which is currently the only device in the DMZ. I need to make a static mapping to this box but for some reason I just can't get it to work. The web server's local address is 10.0.20.100 and the public address that I need to statically map it to is 69.xxx.yyy.187/28

Here's my config so far:

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside 69.xxx.yyy.188 255.255.255.240

ip address inside 192.168.20.1 255.255.255.0

ip address dmz 10.0.20.1 255.255.255.0

access-list dmz_in permit ip any any

access-list outside_in permit ip host 69.xxx.yyy.187 any

global (outside) 1 interface

global (dmz) 1 10.0.20.110-10.0.20.120

nat (inside) 1 Inside_LAN 255.255.255.0 0 0

nat (dmz) 1 dmz 255.255.255.0 0 0

static (outside,dmz) 10.0.20.100 69.xxx.yyy.187 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

access-group dmz_in in interface dmz

I have the access-lists open for troubleshooting purposes... The global (dmz) statement is temporary so that I can access the DMZ from my inside network.

Any help would be greatly appreciated.

Thanks,

Paul

acomiskey · ‎05-11-2007

Haha, no offense you never know who you're dealing with. There was a similar post here within the last few days. I believe it was an arp issue on the isp router. Something to consider.

View solution in original post

PDEdwards · ‎05-11-2007

Paul

You need to make the static mapping from the high security to low security interface:

i.e

static (dmz,outside) 69.xx.yy.187 10.0.20.100 netmask 255.255.255.255

As you are allowing access from a low to high security interface you need an acl which should go as follows:

access-list outside_in permit ip any host 69.xx.yy/187

Above allows access from any ip to your web server.

Regds

pstebner1 · ‎05-11-2007

Thanks for the reply-

I actually got that line wrong in my posting. I do have static (dmz,outside) and not the other way around.

I did change my access list, as you were correct with that, but it still does not work. The access-list doesn't show any hits, either.

Any other suggestions?

Thanks,

Paul

acomiskey · ‎05-11-2007

Post you new config.

pstebner1 · ‎05-11-2007

Here is the newer config:

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside 69.xxx.yyy.188 255.255.255.240

ip address inside 192.168.20.1 255.255.255.0

ip address dmz 10.0.20.1 255.255.255.0

access-list dmz_in permit ip any any

access-list outside_in permit ip any host 69.xxx.yyy.187

global (outside) 1 interface

global (dmz) 1 10.0.20.110-10.0.20.120

nat (inside) 1 Inside_LAN 255.255.255.0 0 0

nat (dmz) 1 dmz 255.255.255.0 0 0

static (dmz,outside) 69.xxx.yyy.187 10.0.20.100 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

access-group dmz_in in interface dmz

acomiskey · ‎05-11-2007

Nothing wrong there, clear xlate?

pstebner1 · ‎05-11-2007

Did it. Still no dice. That's why I'm so confused!

acomiskey · ‎05-11-2007

Have you tried using the interface ip instead just to see if that works.

access-list outside_in permit ip any interface outside

static (dmz,outside) interface 10.0.20.100 netmask 255.255.255.255 0 0

pstebner1 · ‎05-11-2007

This PIX is actually in production right now, and there's no chance that I can do that, at least during business hours...

P

acomiskey · ‎05-11-2007

You are trying to hit 69.xxx.yyy.187 from outside the firewall right?

pstebner1 · ‎05-11-2007

Yes. I'm not THAT much of a newbie!

When inside of the network, however, I notice that as soon as I put in the static command the server loses internet access. It works fine with PAT, but of course then it isn't accessible from the outside.

acomiskey · ‎05-11-2007

Haha, no offense you never know who you're dealing with. There was a similar post here within the last few days. I believe it was an arp issue on the isp router. Something to consider.

Jon Marshall · ‎05-11-2007

Hi

It shouldn't make a difference but you do have overlapping NAT statements ie

global (outside) 1 interface

nat (dmz) 1 dmz 255.255.255.0 0 0

static (dmz,outside) 69.xxx.yyy.187 10.0.20.100 netmask 255.255.255.255 0 0

If the web server is the only device in the DMZ could you not just remove your

nat(dmz) 1 dmz 255.255.255.0 0 0 statement.

Jon

pstebner1 · ‎05-11-2007

Yeah, I know. I had that there because if I remove the static statement then I can get internet access on the box.

One thing that I just noticed - not sure if it makes a difference - on my internet router if I do a sh ip arp I see the arp from .187 as being incomplete.

Any thoughts?

pstebner1 · ‎05-11-2007

Mr. Comiskey-

Thanks for all of your help. You actually pointed me in the right direction to find the answer: The other guy that had this issue fixed it by turning on proxyarp. Worked for me too.

no sysopt noproxyarp outside

There it was, all along.

Thanks, guys

Paul