Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
4
Helpful
1
Replies

PIX Multiple interfaces - use of PAT to outside from DMZ

ccpagel
Level 1
Level 1

‎11-23-2004 01:54 AM - edited ‎02-20-2020 11:45 PM

We have a 515 with 1 outside, 1 inside and 3 DMZ’s. We want to allow some of the hosts on the DMZ’s access to the Internet using PAT to the outside interface address. However I can't get this to work.

The DMZ interfaces have inbound ACL’s defined to allow certain traffic to the inside interface and to each other. Inside and DMZ interfaces use NAT 0. The inside interface uses NAT 1 (PAT to outside interface address), as do the DMZ interfaces. We also have static NAT to devices on the DMZ's.

I’ve tried adding ACL’s.

If I using the following ACL it doesn’t work:

access-list N4-HOSTING-VLAN_access_in permit ip N4-HOSTING-VOICE 255.255.255.0 interface outside

I though this would work as there’s a NAT statement PATing these to the PIX’s outside IP Address.

The following ACL does work but also allows the source address to any other interface on the pix not just the outside:

access-list N4-HOSTING-VLAN_access_in permit ip N4-HOSTING-VOICE 255.255.255.0 any

What I need to do is permit “outside any” but that’s not an ACL configurable option.

Any idea’s on how this can be done?

Do I need to define a separate NAT pool for the DMZ clients to PAT to, rather than use the same as the inside interface?

Any help would be appreciated

Thanks,

Chris

0 Helpful
1 Reply 1

sachinraja
Level 9
Level 9

‎11-23-2004 02:32 AM

HI Chris,

What you need to do on the DMZ is to deny unnecessary traffic and then permit others... this is the normal way of doing it.. If your DMZ does not need access to inside and only needs access to internet, change your access-list on the DMZ to the following:

access-list N4-HOSTING-VLAN_access_in deny ip N4-HOSTING-VOICE 255.255.255.0 10.1.1.0 255.255.255.0 (inside LAN)

access-list N4-HOSTING-VLAN_access_in permit ip N4-HOSTING-VOICE 255.255.255.0 any

do all the deny's before permitting.. this can regulate the traffic flowing from your DMZ interface to inside/outside and other interfaces..

Its always better to do a seperate PAT for the DMZ users (if you have public IPs available).. this will be useful when troubleshooting problems with respect to DMZ..

Hope this helps.. all the best.. rate replies if found useful..

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card