Pix communicate DMZ to inside

akblackwel · ‎02-17-2012

I'm trying to communicate on port 53 (doman/DNS) from my DMZ to the inside interface. I's just not working. I've even been on the phone with cisco and he can't get it to work.

Right now I'm trying to verify two things.

1. When i do a packet trace, it stops on NAT

Type -

NAT

Subtype -

rpf-check

Action -

DROP

Show rule in NAT Rules table.

Config

nat (inside) 1 192.168.199.0 255.255.255.0
nat-control
match                  ip inside 192.168.199.0 255.255.255.0 DMZ any
dynamic                  translation to pool 1 (192.168.200.100 - 192.168.200.200)
translate_hits                  = 0, untranslate_hits = 0

Then I click on Show rule in NAT Rules table it goes to

Type Source (Translated) Interface Address

6 Dynamic 192.168.199.0/24 DMZ 192.168.200.100-192.168.200.200

Which leads me to problem #2

2. Cisco has documantation on their web site for configuring Inside/DMZ to Internet and it's isn't configured this way.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

Theres a picture of the map and commands, but the way they implemet it is

ASA-AIP-CLI(config)# nat (inside) 1 172.20.1.0 255.255.255.0 (LAN)

ASA-AIP-CLI(config)# nat (inside) 1 192.168.1.0 255.255.255.0 (DMZ)

ASA-AIP-CLI(config)# global (Outside) 1 interface

I spoke with a cisco tech about the difference and he says the document is wrong and mapping the nat DMZ to the inside wont work.

Would cisco publish a document that is completely wrong? Is he right or is the document right?

Thanks

cadet alain · ‎02-17-2012

Hi,

so you have a DNS server in DMZ and you want to communicate from inside to this server ?

just simply do this:I suppose that dmz security level is lower than inside

nat(inside) 2 192.168.199.0 255.255.255.0

global(dmz) 2 interface

Regards.

Alain

Don't forget to rate helpful posts.