PIX Question regarding Private Addressing

jeff · ‎06-16-2004

We have a PIX 515e with six interfaces. One interface is the DMZ with public addressing. One of the other interfaces is the inside which is using private addressing. The command below disables translation for the DMZ network because all servers are publicly addressed:

static (DMZ,outside) pub.pub.59.32 pub.pub.59.32 netmask 255.255.255.224

Can the same be done for a private network, for example:

static (inside, DMZ) 10.2.0.0 10.2.0.0 netmask 255.255.0.0

This would be helpful if we have servers on the DMZ (only on the DMZ not from the outside) accessing servers on the inside interface. We would then use access lists to control what servers and services can go back and forth.

Thanks for any help.

Jeff

pcomeaux · ‎06-16-2004

Hey Jeff -

Yes, you are right on track with how you are using the statics and ACLs to control access.

You can always be more granular with your statics, but strict control with your ACLs and good change control will provide secure results.

Please let us know if you need help as you continue with your config.

thanks

peter

jeff · ‎06-16-2004

Thank you for the reply. So the static command as I suggested would work for a private network on the inside interface, and still allow a public addressed server on the DMZ to communicate with a private addressed server on the inside interface. This of course with the correct access lists.

Thanks again.

Jeff

pcomeaux · ‎06-16-2004

Hey Jeff -

Yes, assuming the internal servers default gateway and/or routing would eventually lead their traffic to this Pix.

As a side note, traffic from the inside destined to the outside interface (which you haven't mentoined) would require a seperate translation strategy.

thanks

peter

jeff · ‎06-17-2004

Thanks for the reply.

The default gateway for the servers on the DMZ and inside interface is this PIX. Servers destined for the outside from the inside have a static translation already set.

Thanks again.

Jeff