cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7668
Views
45
Helpful
24
Replies

PIX inside to DMZ access and NAT questions

wilson_1234_2
Level 3
Level 3

I hope this is enough information to answer these questions:

Say I have a a mail server on the inside interface(10.1.10.1) and it is required to relay to a server on the DMZ interface (192.168.1.1).

With the below config parameters is the following tru:

1. The inside Network is going to nat anything to from the inside network to the 192.168.1.254 address.

2. Everything inbound to the DMZ server from the Inside interface will look like it is coming from the 192.168.1.254 address.

3. All traffic originating from the DMZ server will send to the 192.168.1.254 address.

4. the access list DMZ is not needed in this case to allow traffic to host 10.1.10.1

global (DMZ) 1 192.168.1.254

nat (inside) 0 access-list NO_NAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list dmz permit tcp host 192.168.1.1 host 10.1.10.1

access-list dmz permit udp host 192.168.1.1 host 10.1.10.1

access-list NO_NAT permit ip host 10.1.10.1 host 192.168.1.1

access-list inside permit tcp host 10.1.10.1 host 192.168.1.1 eq smtp

24 Replies 24

I don't think in this whole thread you've really said what you want to accomplish when this is done.

I was just trying to understand what the different config lines are doing

I think the communication was working fine before which was:

Inside server 10.1.10.1 can access DMZ server 192.168.1.1.

And DMZ server can initiate communication to inside server.

It was working before the PIX guy put in the NAT exemption.

I was just trying to understand the logic of what each line is doing and why it was put there, thats all.

Ah ok, wasn't sure if it was working or not. You can remove the nat exemption as the static command is doing the same thing.

So, the NAT exemtion is doing nothing because the Static is taking precedence?

I appreciate the explanations

No, the static is doing nothing as the nat exemption is #1 in priority. But if you removed the nat exemption the static would take it's place. Sorry for the confusion.

1. nat 0 access-list (NAT exemption)

2. static (static NAT)

3. static {tcp | udp} (static PAT)

4. nat nat_id access-list (policy NAT)

5. nat (regular NAT)

Thanks,

And they are accomplishing the same thing correct?

So actually adding the exemption has no affect

Hey acomiskey,

I could use your help with a CSS scenario

Maybe tomorrow, I've had enough for one day..haha.

I think we are both in the same boat on the CSS, I will be attempting to convert to Zone based dns soon, so we can probably help each other. Thanks for all the ratings by the way, it's good to see someone acknowledging when you're getting helped.

You are very welcome, you deserve it

you don't know how much I appreciate your help and this forum.

I agree tomorrow

Thanks duder

sudeeptham
Level 1
Level 1

I found an intersting blog post referring to this issue. Please follow the link http://blog.athenasecurity.net/2010/09/20/nat-confusion-and-config-debugging/

Review Cisco Networking for a $25 gift card