09-12-2004 08:33 PM - edited 03-09-2019 08:46 AM
i have a dmz interface with the following ip address
172.19.72.1 255.255.255.0, which currently i am trying to allow all the ip in this segment to access my inside segment, should I use destination static command coz I don't wanna the ip to be translated. hope someone can help me on this..
regards
Alan
09-12-2004 11:14 PM
configuration as below...
i'm trying to allow the sdo_temp to access the servers in my internal LAN without translation.
I already had a NAT for the inside to eglink interface so... is there any way to configure it without affect the eglink NAT...
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 sdo_temp security50
nameif ethernet4 temp security50
nameif ethernet5 eglink security50
hostname dc1pix
names
name 172.22.3.51 vbping
name 172.22.3.34 mrtg
name 172.22.3.23 proxy1
name 172.22.3.107 officescan1
name 172.22.3.18 smtp
name 172.22.3.44 smtp2
name 172.22.3.108 aaa
name 172.22.202.4 smtp3
access-list inbound permit icmp any host 2x.x.x.50
access-list inbound deny udp any host 2x.x.x.11 eq domain
access-list inbound permit udp any host 2x.x.x.11 log
access-list inbound permit icmp any host 2x.x.x.11
access-list inbound permit tcp any host 2x.x.x.52 eq 12345 log
access-list inbound permit tcp any host 2x.x.x.11 eq pop3
access-list inbound permit tcp any host 2x.x.x.11 eq imap4
access-list inbound permit tcp any host 2x.x.x.11 eq smtp
access-list inbound permit icmp any host 2x.x.x.53
access-list inbound permit udp any any log
access-list inbound permit icmp any any
access-list inbound permit tcp any host 2x.x.x.57 eq smtp
access-list inbound permit udp any host 2x.x.x.57
access-list inbound permit tcp any host 2x.x.x.56 eq smtp
access-list inbound permit tcp any host 2x.x.x.58 eq smtp
access-list inbound permit tcp any host 2x.x.x.59 eq smtp
access-list eglink permit ip any any
access-list inside_access_in deny tcp any any eq 135
access-list inside_access_in permit tcp any any
access-list inside_access_in permit udp any any eq domain
access-list inside_access_in permit udp any any eq snmp
access-list inside_access_in deny udp any any eq netbios-ns log
access-list inside_access_in permit udp any any
access-list inside_access_in permit icmp any any
access-list inside_outbound_nat0_acl permit ip any 172.19.1.108 255.255.255.252
access-list outside_cryptomap_dyn_40 permit ip any 172.19.1.108 255.255.255.252
access-list testing permit ip any 10.1.100.0 255.255.255.128
access-list sdo-temp permit ip any any
access-list no_nat permit ip any 10.1.100.0 255.255.255.128
ip address outside 2x.x.x.2 255.255.255.0
ip address inside 10.1.9.54 255.255.255.252
ip address dmz 172.19.200.1 255.255.255.0
ip address sdo_temp 172.19.72.1 255.255.255.0
ip address temp 10.188.20.1 255.255.255.0
ip address eglink 10.1.100.33 255.255.255.128
arp timeout 14400
global (eglink) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2x.x.x.11 proxy1 netmask 255.255.255.255 0 0
static (inside,outside) 2x.x.x.50 vbping netmask 255.255.255.255 0 0
static (inside,outside) 2x.x.x.51 mrtg netmask 255.255.255.255 0 0
static (inside,outside) 2x.x.x.52 officescan1 netmask 255.255.255.255 0 0
static (inside,outside) 2x.x.x.53 172.22.254.254 netmask 255.255.255.255 0 0
static (inside,outside) 2x.x.x.16 172.22.3.22 netmask 255.255.255.255 0 0
static (inside,outside) 2x.x.x.56 smtp2 netmask 255.255.255.255 0 0
static (inside,outside) 2x.x.x.57 smtp3 netmask 255.255.255.255 0 0
static (inside,outside) 2x.x.x.58 smtp netmask 255.255.255.255 0 0
static (inside,outside) 2x.x.x.59 172.22.3.93 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group inside_access_in in interface inside
access-group sdo-temp in interface sdo_temp
access-group eglink in interface eglink
route outside 0.0.0.0 0.0.0.0 218.208.41.1 1
route inside 10.0.0.0 255.0.0.0 10.1.9.53 1
route inside 172.16.0.0 255.240.0.0 10.1.9.53 1
route inside 192.168.0.0 255.255.0.0 10.1.9.53 1
[OK]
09-13-2004 08:44 AM
I'm looking for the same thing, I need 1 DMZ device to access all Inside devices
Regards Tony
09-13-2004 01:18 PM
The best way to accomplish this goal is to translate your hosts from the higher security interface onto the lower security interface. For instance, let's say you had an outside, inside and dmz interface on a PIX. Security levels were set as outside - 0, inside - 100, and dmz - 50. You wanted to allow hosts access to the hosts on the inside segment from the hosts on the dmz segment. Assuming an address scheme of 10.1.1.0/24 for inside, 10.1.2.0/24 for the dmz, and 1.1.1.0/24 for the outside, you would want to add the following static to your PIX config:
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
This allows the hosts on the dmz to access the internal hosts via a non-NAT'ed address.
You would also need to create the appropriate access-lists on the dmz interface to allow the wanted traffic through as this is still communication from a lower to a higher security interface.
Does this make sense?
Scott
09-14-2004 02:15 AM
Scott,
Fantastic mate, tried it, worked first time!!
I've been trying NAT 0 ACLs
Cheers many thanks Tony
09-14-2004 12:15 PM
Scott,
Very interesting. Can you clarify this for me?
When a device from the inside tries to reach a host in the DMZ, will it get NAT'd if such a statement exists?
For example:
Inside: 192.168.1.0
Outside: 199.250.x.x NAT: 199.250.x.10
DMZ: 192.168.2.0 NAT: 192.168.2.10
Using the static (inside,dmz) 192.168.1.0 192.168.0 netmask 255.255.255.0 command.
Will the host in the DMZ see the source as 192.168.2.10 or a 192.168.1.x address?
Hope this make sense.
We want to do something similar, but want NAT to be used outbound to the DMZ if possible.
09-14-2004 06:20 PM
The static statement you listed above was incomplete. I am going to make a few assumptions and try to answer your question but if I assume incorrectly, please let me know. If you meant to put:
static (inside,dmz) 192.168.1.0 192.168.2.0 netmask 255.255.255.0
This will translate 192.168.1.10 so that the source appears to be 192.168.2.10 to the hosts on the dmz interface. This wourks in a 1:1 format meaning 192.168.1.11 will be 192.168.2.11, 192.168.1.12 will be 192.168.2.112, etc...
Does this help?
Scott
09-15-2004 11:43 AM
Scott...
My bad on the typo. Understand the 1 for 1 relationship, but in doing something similar to your original email, the static line was:
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
DMZ Host Address: 192.168.2.10
Inside Host Address: 192.168.1.34
I have two questions.
1) On the inside network, a packet coming from the DMZ to the inside host, will the source address be 192.168.2.10?
2) Can I NAT the DMZ interface? Another words, I want anything on the inside going to the DMZ to use an address on the DMZ such as 192.168.2.3?
09-14-2004 11:27 PM
Hi scott,
what happens when the other interface represents a different subnet altogether
lets say the dmz 10.1.1.0 255.255.255.0
and the inside 172.16.25.0 255.255.255.0
just this?
static (inside,dmz) 172.16.25.0 172.16.25.0 netmask 255.255.255.0
09-15-2004 07:06 AM
You got it. All you are doing is translating the subnet (or host, or hosts) from the higher security interface to the lower security interface.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide