PIX configuration Inside-DMZ without NAT

ramiro · ‎10-19-2003

Hi.

I have two PC, one located in a DMZ and other in the inside network. Both must communicate bidirectionally across specific ports, but I want to disable NAT between them since I am handling an administrative application and it does not work with NAT. The DMZ and the inside network, it has different IP addressing Scheme.

Thanks in advance.

R.@.M.

tohuang · ‎10-19-2003

Hi,

You probably want to try

static (inside,dmz) x.x.x.x x.x.x.x netmask 255.255.255.255

where x.x.x.x is ip address for pc on inside.

assume y.y.y.y is the ip for pc on dmz,

there is no problem from x.x.x.x to access to y.y.y.y

but you do need to add the permission for y.y.y.y to access to x.x.x.x ( access list or conduit ).

I hope this will help.

Tony

ramiro · ‎10-19-2003

Hi Tony. Thanks for your response.

Then I do not need to configure " nat (inside 0) "?.

Thanks again.

R.@.M.

nkhawaja · ‎10-19-2003

Hi,

nat (inside) 0 will only allow you for one way communication i.e. from inside-> DMZ.

with static (in,out) xxx xxx you can have bi directional communication.

Regards,

Nadeem

ramiro · ‎10-19-2003

Ok, I understand. then I might do this:

static (inside,dmz) 192.168.2.11 192.168.2.11 netmask 255.255.255.255

Access-list dmz permit tcp host 172.31.4.20 host 192.168.2.11 eq

that's right?

R.@.M.

tohuang · ‎10-20-2003

Hi,

Yes, that is correct. However, you pretty much have to apply this list to dmz interface. Remember that, there is always " deny ip any any " at the end of every access list.

which will deny the traffic going from dmz to outside. You want to be careful about this.

If you are not using PDM, since this is non-routable address, you can also use conduit statement.

I hope this helps.

Thanks

Tony