Re: from dmz to inside

alanhong · ‎09-12-2004

i have a dmz interface with the following ip address

172.19.72.1 255.255.255.0, which currently i am trying to allow all the ip in this segment to access my inside segment, should I use destination static command coz I don't wanna the ip to be translated. hope someone can help me on this..

regards

Alan

alanhong · ‎09-12-2004

configuration as below...

i'm trying to allow the sdo_temp to access the servers in my internal LAN without translation.

I already had a NAT for the inside to eglink interface so... is there any way to configure it without affect the eglink NAT...

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

interface ethernet4 auto

interface ethernet5 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

nameif ethernet3 sdo_temp security50

nameif ethernet4 temp security50

nameif ethernet5 eglink security50

hostname dc1pix

names

name 172.22.3.51 vbping

name 172.22.3.34 mrtg

name 172.22.3.23 proxy1

name 172.22.3.107 officescan1

name 172.22.3.18 smtp

name 172.22.3.44 smtp2

name 172.22.3.108 aaa

name 172.22.202.4 smtp3

access-list inbound permit icmp any host 2x.x.x.50

access-list inbound deny udp any host 2x.x.x.11 eq domain

access-list inbound permit udp any host 2x.x.x.11 log

access-list inbound permit icmp any host 2x.x.x.11

access-list inbound permit tcp any host 2x.x.x.52 eq 12345 log

access-list inbound permit tcp any host 2x.x.x.11 eq pop3

access-list inbound permit tcp any host 2x.x.x.11 eq imap4

access-list inbound permit tcp any host 2x.x.x.11 eq smtp

access-list inbound permit icmp any host 2x.x.x.53

access-list inbound permit udp any any log

access-list inbound permit icmp any any

access-list inbound permit tcp any host 2x.x.x.57 eq smtp

access-list inbound permit udp any host 2x.x.x.57

access-list inbound permit tcp any host 2x.x.x.56 eq smtp

access-list inbound permit tcp any host 2x.x.x.58 eq smtp

access-list inbound permit tcp any host 2x.x.x.59 eq smtp

access-list eglink permit ip any any

access-list inside_access_in deny tcp any any eq 135

access-list inside_access_in permit tcp any any

access-list inside_access_in permit udp any any eq domain

access-list inside_access_in permit udp any any eq snmp

access-list inside_access_in deny udp any any eq netbios-ns log

access-list inside_access_in permit udp any any

access-list inside_access_in permit icmp any any

access-list inside_outbound_nat0_acl permit ip any 172.19.1.108 255.255.255.252

access-list outside_cryptomap_dyn_40 permit ip any 172.19.1.108 255.255.255.252

access-list testing permit ip any 10.1.100.0 255.255.255.128

access-list sdo-temp permit ip any any

access-list no_nat permit ip any 10.1.100.0 255.255.255.128

ip address outside 2x.x.x.2 255.255.255.0

ip address inside 10.1.9.54 255.255.255.252

ip address dmz 172.19.200.1 255.255.255.0

ip address sdo_temp 172.19.72.1 255.255.255.0

ip address temp 10.188.20.1 255.255.255.0

ip address eglink 10.1.100.33 255.255.255.128

arp timeout 14400

global (eglink) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 2x.x.x.11 proxy1 netmask 255.255.255.255 0 0

static (inside,outside) 2x.x.x.50 vbping netmask 255.255.255.255 0 0

static (inside,outside) 2x.x.x.51 mrtg netmask 255.255.255.255 0 0

static (inside,outside) 2x.x.x.52 officescan1 netmask 255.255.255.255 0 0

static (inside,outside) 2x.x.x.53 172.22.254.254 netmask 255.255.255.255 0 0

static (inside,outside) 2x.x.x.16 172.22.3.22 netmask 255.255.255.255 0 0

static (inside,outside) 2x.x.x.56 smtp2 netmask 255.255.255.255 0 0

static (inside,outside) 2x.x.x.57 smtp3 netmask 255.255.255.255 0 0

static (inside,outside) 2x.x.x.58 smtp netmask 255.255.255.255 0 0

static (inside,outside) 2x.x.x.59 172.22.3.93 netmask 255.255.255.255 0 0

access-group inbound in interface outside

access-group inside_access_in in interface inside

access-group sdo-temp in interface sdo_temp

access-group eglink in interface eglink

route outside 0.0.0.0 0.0.0.0 218.208.41.1 1

route inside 10.0.0.0 255.0.0.0 10.1.9.53 1

route inside 172.16.0.0 255.240.0.0 10.1.9.53 1

route inside 192.168.0.0 255.255.0.0 10.1.9.53 1

[OK]

tholmes · ‎09-13-2004

I'm looking for the same thing, I need 1 DMZ device to access all Inside devices

Regards Tony

scoclayton · ‎09-13-2004

The best way to accomplish this goal is to translate your hosts from the higher security interface onto the lower security interface. For instance, let's say you had an outside, inside and dmz interface on a PIX. Security levels were set as outside - 0, inside - 100, and dmz - 50. You wanted to allow hosts access to the hosts on the inside segment from the hosts on the dmz segment. Assuming an address scheme of 10.1.1.0/24 for inside, 10.1.2.0/24 for the dmz, and 1.1.1.0/24 for the outside, you would want to add the following static to your PIX config:

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

This allows the hosts on the dmz to access the internal hosts via a non-NAT'ed address.

You would also need to create the appropriate access-lists on the dmz interface to allow the wanted traffic through as this is still communication from a lower to a higher security interface.

Does this make sense?

Scott

tholmes · ‎09-14-2004

Scott,

Fantastic mate, tried it, worked first time!!

I've been trying NAT 0 ACLs

Cheers many thanks Tony

clawtonga · ‎09-14-2004

Scott,

Very interesting. Can you clarify this for me?

When a device from the inside tries to reach a host in the DMZ, will it get NAT'd if such a statement exists?

For example:

Inside: 192.168.1.0

Outside: 199.250.x.x NAT: 199.250.x.10

DMZ: 192.168.2.0 NAT: 192.168.2.10

Using the static (inside,dmz) 192.168.1.0 192.168.0 netmask 255.255.255.0 command.

Will the host in the DMZ see the source as 192.168.2.10 or a 192.168.1.x address?

Hope this make sense.

We want to do something similar, but want NAT to be used outbound to the DMZ if possible.

scoclayton · ‎09-14-2004

The static statement you listed above was incomplete. I am going to make a few assumptions and try to answer your question but if I assume incorrectly, please let me know. If you meant to put:

static (inside,dmz) 192.168.1.0 192.168.2.0 netmask 255.255.255.0

This will translate 192.168.1.10 so that the source appears to be 192.168.2.10 to the hosts on the dmz interface. This wourks in a 1:1 format meaning 192.168.1.11 will be 192.168.2.11, 192.168.1.12 will be 192.168.2.112, etc...

Does this help?

Scott

clawtonga · ‎09-15-2004

Scott...

My bad on the typo. Understand the 1 for 1 relationship, but in doing something similar to your original email, the static line was:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

DMZ Host Address: 192.168.2.10

Inside Host Address: 192.168.1.34

I have two questions.

1) On the inside network, a packet coming from the DMZ to the inside host, will the source address be 192.168.2.10?

2) Can I NAT the DMZ interface? Another words, I want anything on the inside going to the DMZ to use an address on the DMZ such as 192.168.2.3?

echelon360 · ‎09-14-2004

Hi scott,

what happens when the other interface represents a different subnet altogether

lets say the dmz 10.1.1.0 255.255.255.0

and the inside 172.16.25.0 255.255.255.0

just this?

static (inside,dmz) 172.16.25.0 172.16.25.0 netmask 255.255.255.0

scoclayton · ‎09-15-2004

You got it. All you are doing is translating the subnet (or host, or hosts) from the higher security interface to the lower security interface.

Scott