cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1241
Views
0
Helpful
14
Replies

PIX 515e Static NAT/DMZ Issue

pstebner1
Level 1
Level 1

I have a 515e, 6.3(4) with an internal interface and a DMZ. The DMZ interface is 10.0.20.1 and the outside interface is 69.xxx.yyy.188/28

I have setup a web server which is currently the only device in the DMZ. I need to make a static mapping to this box but for some reason I just can't get it to work. The web server's local address is 10.0.20.100 and the public address that I need to statically map it to is 69.xxx.yyy.187/28

Here's my config so far:

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside 69.xxx.yyy.188 255.255.255.240

ip address inside 192.168.20.1 255.255.255.0

ip address dmz 10.0.20.1 255.255.255.0

access-list dmz_in permit ip any any

access-list outside_in permit ip host 69.xxx.yyy.187 any

global (outside) 1 interface

global (dmz) 1 10.0.20.110-10.0.20.120

nat (inside) 1 Inside_LAN 255.255.255.0 0 0

nat (dmz) 1 dmz 255.255.255.0 0 0

static (outside,dmz) 10.0.20.100 69.xxx.yyy.187 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

access-group dmz_in in interface dmz

I have the access-lists open for troubleshooting purposes... The global (dmz) statement is temporary so that I can access the DMZ from my inside network.

Any help would be greatly appreciated.

Thanks,

Paul

1 Accepted Solution

Accepted Solutions

Haha, no offense you never know who you're dealing with. There was a similar post here within the last few days. I believe it was an arp issue on the isp router. Something to consider.

View solution in original post

14 Replies 14

PDEdwards
Level 1
Level 1

Paul

You need to make the static mapping from the high security to low security interface:

i.e

static (dmz,outside) 69.xx.yy.187 10.0.20.100 netmask 255.255.255.255

As you are allowing access from a low to high security interface you need an acl which should go as follows:

access-list outside_in permit ip any host 69.xx.yy/187

Above allows access from any ip to your web server.

Regds

Thanks for the reply-

I actually got that line wrong in my posting. I do have static (dmz,outside) and not the other way around.

I did change my access list, as you were correct with that, but it still does not work. The access-list doesn't show any hits, either.

Any other suggestions?

Thanks,

Paul

Post you new config.

Here is the newer config:

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside 69.xxx.yyy.188 255.255.255.240

ip address inside 192.168.20.1 255.255.255.0

ip address dmz 10.0.20.1 255.255.255.0

access-list dmz_in permit ip any any

access-list outside_in permit ip any host 69.xxx.yyy.187

global (outside) 1 interface

global (dmz) 1 10.0.20.110-10.0.20.120

nat (inside) 1 Inside_LAN 255.255.255.0 0 0

nat (dmz) 1 dmz 255.255.255.0 0 0

static (dmz,outside) 69.xxx.yyy.187 10.0.20.100 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

access-group dmz_in in interface dmz

Nothing wrong there, clear xlate?

Did it. Still no dice. That's why I'm so confused!

Have you tried using the interface ip instead just to see if that works.

access-list outside_in permit ip any interface outside

static (dmz,outside) interface 10.0.20.100 netmask 255.255.255.255 0 0

This PIX is actually in production right now, and there's no chance that I can do that, at least during business hours...

P

You are trying to hit 69.xxx.yyy.187 from outside the firewall right?

Yes. I'm not THAT much of a newbie!

When inside of the network, however, I notice that as soon as I put in the static command the server loses internet access. It works fine with PAT, but of course then it isn't accessible from the outside.

Haha, no offense you never know who you're dealing with. There was a similar post here within the last few days. I believe it was an arp issue on the isp router. Something to consider.

Hi

It shouldn't make a difference but you do have overlapping NAT statements ie

global (outside) 1 interface

nat (dmz) 1 dmz 255.255.255.0 0 0

static (dmz,outside) 69.xxx.yyy.187 10.0.20.100 netmask 255.255.255.255 0 0

If the web server is the only device in the DMZ could you not just remove your

nat(dmz) 1 dmz 255.255.255.0 0 0 statement.

Jon

Yeah, I know. I had that there because if I remove the static statement then I can get internet access on the box.

One thing that I just noticed - not sure if it makes a difference - on my internet router if I do a sh ip arp I see the arp from .187 as being incomplete.

Any thoughts?

Mr. Comiskey-

Thanks for all of your help. You actually pointed me in the right direction to find the answer: The other guy that had this issue fixed it by turning on proxyarp. Worked for me too.

no sysopt noproxyarp outside

There it was, all along.

Thanks, guys

Paul

Review Cisco Networking for a $25 gift card