Re: Two basic PIX questions - newbie to PIX

kirkster · ‎01-20-2005

Hi,

I am a newbie to PIX and I have two basic questions:

1. I want the PIX to route between the DMZ and inside networks. I do not want any nating going on - I want the inside addresses to appear as such on the DMZ and vice versa - in other words the PIX is a router on these interfaces. I get this going by doing a:

nat (inside) 0 x.x.x.x

nat (dmz) 0 x.x.x.x

This appears to work fine. However would it be better to use a nat on the inside and a global on the dmz (the global containing the whole scope of the network on the dmz?). What are the pros and cons here?

2. If I have a nat (inside) 0 0.0.0.0 0.0.0.0, will a more specific nat (inside) 1 x.x.x.x be chosen if it gets matched? In other words does it treat the nat (0) like a last resort and it will try the more specifics first?

Sorry for these basic questions - I am a R+S man getting my head round how these PIX's work!!!

Best regards, Steve

gfullage · ‎01-20-2005

1. The first "nat 0" command will allow traffic to flow from inside to dmz (higher to lower) without being NAT'd. Actually it will allow traffic from inside to any other lower security interface to flow. It will NOT however, allow traffic to flow from dmz to inside (lower to higher), for that you need a static and an access-list. If you want no nat'ing between the two interfaces, AND want to allow traffic to be initiated from the dmz and go to the inside, then you need the following (assuming your inside network is a 10.1.1.0/24 subnet):

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

access-list dmz-in permit ip any 10.1.1.0 255.255.255.0

access-group dmz-in in interface dmz

Note also there's an implicit "deny everything else" on this ACL, so if you want to traffic to flow from the dmz to other interfaces you'll need to explicitly allow that also.

2. Nat order of operations can be found here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1032129

Scroll down a few pages and you'll see it. Basically though th emost specific nat statement will take effect. "nat 0" is not treated as a last resort per se, but if you have "nat 0 0.0.0.0 0.0.0.0" then basically any other nat statement will be matched first simply because it'll be more specific.

kirkster · ‎01-21-2005

Hi many thanks for the reply. I came to a similar conclusion myself with the static command that you detail in your example. I absolutley understand why you need the access list to allow the dmz to talk to

the inside. However, is my nat 0 solution on the dmz and inside interfaces still a valid option?

In your example, what if everything from the inside interface (which could have hundreds of subnets behind it) wa to be allowed untrnaslated through to the dmz? Would a:

static (inside,dmz) 0.0.0.0 0.0.0.0

- be a valid statement? In otherwords anything translates to itself?

Many thanks for taking the time!!!!

Regards, Steve

sachinraja · ‎01-24-2005

Hi steve,

the statics will have values as pointed out by Glenn in his previous post. 0.0.0.0 on the static does not show any meaning. static will see the inside subnet and convert to a valid ip on the outside.

anyway, we normally use a nat 0 for this pupose.

nat (inside) 0 access-list nonat

access-list nonat permit ip 10.10.10.0 255.255.255.0 (inside) 20.20.20.0 255.255.255.0 (DMZ)

remember, as glenn said, nat 0 will take precedence of other nats.so make sure you give the right nonat access-list.

by doing this, u can see the servers on DMZ with their private IPs from the inside.

hope this helps.. all the best..

Raj