Re: PIX 6.3 - NAT DMZ IP to Internal Addresses?

tobyhouser · ‎08-12-2004

I'm grappling with the way Pix 6.3 handles NAT, since it doesn't accept Alias commands. Here's what I want to do. We have to roll-out a bunch of firewalls with the same configuration, so we hope to use the same DMZ addresses on all of the firewalls, and just translate the hosts on those DMZs to unique Internal Addresses. i.e.

DMZ host = 192.168.133.3

Inside Net = 10.0.0.0

Pix Inside NIC = 10.201.24.210

I want to make an Alias/NAT for the DMZ host on the inside as 10.201.24.211 so that users on the inside will access the DMZ host by that NAT. How do I do this? Defining bi-directional NAT (if that's the proper usage) doesn't seem to work.

scoclayton · ‎08-12-2004

Can you be more specific as to what does not work? All you should need is a command like this:

static (dmz,inside) 10.201.24.211 192.168.133.3

This tells the PIX to take any packets received on his inside interface destined for 10.201.24.211 and put them on the dmz interface with the destination set to 192.168.133.3. Is this not what you are trying to do? I do believe you need at least 6.3 code for support of this feature.

Let me know.

Scott

tobyhouser · ‎08-12-2004

I'm trying to get Terminal Services support setup such that administrators of the DMZ systems can make Windows Terminal Session connections to the DMZ servers. Since I'm using the same network addresses for multiple DMZs, I figured I could just mask those DMZs by using NAT of the DMZ address (192.168.133.3)to a specific address on the inside network (10.201.24.211). When I create the rule, I get a log entry that says "access denied, no XLATE for host 10.201.24.211."

TimeCr0ss · ‎08-24-2004

Scott,

You just helped me on a very similar issue. :) Thanks.