PIX / DMZ / NAT only outside

Robert_Berger · ‎11-25-2002

Hello,

I have a customer with following conditions:

Internet..

DMZ with 172.18.x.x

LAN with 10.x.x.x

There is a Proxy in the DMZ 172.x.x.x. The proxy see's all client with the DMZ Interface Address. The guys who config the pix says it comes from NAT and they can not handle this.

So my question: can they use a kind of "NAT outside" instead of "NAT inside".

so that network 10.x and 172.x are not nated but everything by outside...

Thanks Robert

chrclark · ‎11-25-2002

You can use a static command to create a 1-1 static address mapping with the inside address the same as the address on the DMZ. You are probably using a global command and a nat statement. You can use the static command and map 10.xx.xx.xx to 10.xx.xx.xx from inside to dmz instead.

static ( inside, dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

you will need to remove or change the nat statement.

Here is docs on the static statement.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/commands.htm#xtocid76

tvanginneken · ‎11-25-2002

What you can do is disable the nat translation from the inside to the dmz. The the proxy server will see the real addresses of the inside clients

access-list no_nat permit ip 10.x.x.x 255..0.0.0 172.18.x.x 255.255.0.0

nat (inside) 0 access-list no_nat

Kind Regards,

Tom

tvanginneken · ‎11-25-2002

This cisco document describes how to disable nating between two networks using an access-list that specifies the traffic that should not be natted:

http://www.cisco.com/warp/public/110/19.html#fourth

Kind Regards,

Tom