Re: PIX DMZ access to public translations?

jrahm · ‎03-13-2006

I'm trying to setup a DMZ host to have access to a public interface translation for a host in another DMZ. Is this possible on PIX? For example:

public IP for dmz_b host 192.168.1.5

dmz_a host 10.1.1.5

dmz_b host 10.1.2.5

I'd like to configre dmz_a host to access dmz_b host's public IP of 192.168.1.5.

THanks.

aashish.c · ‎03-13-2006

Hi

you need to use alias command to achieve this, the syntax would be :

alias(interface) dnat_ip actual_ip

eg. : alias(dmz_a) 192.168.1.5 10.1.1.5

"dmz_a" is the interface where requests are coming from source to access the destination host i.e. "b".

alias command would stop your PDM, incase you are using it.

regards

aashish C

johansens · ‎03-14-2006

Hi there,

There are several solutions to this problem depending on which version of PIX OS you are using and whether nat-control and/or same-security-traffic is used.. here are some possibilites:

Given that DMZ-A has a lower security level than DMZ-B:

static (DMZ-B,DMZ-A) 192.168.1.5 10.1.2.5 netmask 255.255.255.255

Or this one if DMZ-A is on a higher security level than DMZ-B:

alias (DMZ-A) 192.168.1.5 10.1.2.5 255.255.255.255

Also see these links:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

http://www.ciscotaccc.com/security/showcase?case=K81837729

Did it help? If so, please rate it.

jrahm · ‎03-14-2006

Thank you both for your responses, I'll get in the lab sometime today to test.