Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
264
Views
0
Helpful
3
Replies

Having a NAT issue from a lower interface to higher

joneschw1
Level 1
Level 1

‎05-02-2005 03:51 PM - edited ‎03-09-2019 11:08 AM

Hi all, I have a 515 with 4 interfaces that are relavent. Inside (100), DMZ (50), bCat (20), outside (0). The bCat interface is a totally seperate company that is utilizing our firewall. The company on the bCat interface has their website hosted on the dmz interface. I cannot get web traffic to the DMZ interface from the bCat interface even though I have the conduit that allows http from any to the hosts in the DMZ. I think it is something to do with NATing, and it is probably simple, but I am stuck at this point. I want to enable traffic from the bCat interface (192.168.15.0/24) to the DMZ interface (214.45.93.0/24). I know that I am bypassing NAT from the internal to bCat b/c I can ping 192.168.15.0 from my internal. My relevant config is below. I also want to allow certain traffic from the bCat interface to my backup server on the internal interface. Your help is greatly appreciated, and my relevant config is below:

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet4 100full

interface ethernet5 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

nameif ethernet4 bCat security20

fixup protocol dns maximum-length 2000

fixup protocol http 80

object-group network WWW-Servers

network-object host 214.45.101.16

ip address outside 214.45.100.3 255.255.255.0

ip address inside 10.1.1.1 255.255.255.0

ip address DMZ 214.45.101.1 255.255.255.0

no ip address SQLDMZ

ip address bCat 192.168.15.254 255.255.255.0

global (outside) 1 214.45.100.129-214.45.100.189

global (outside) 1 214.45.100.190

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ) 0 214.45.101.0 255.255.255.0 0 0

nat (bCat) 1 0.0.0.0 0.0.0.0 0 0

static (inside,DMZ) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0

static (inside,bCat) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0

static (DMZ,outside) 214.45.101.20 214.45.101.20 netmask 255.255.255.255 0 0

static (DMZ,outside) 214.45.101.16 214.45.101.16 netmask 255.255.255.255 0 0

netmask 255.255.255.255 0 0

static (DMZ,outside) 214.45.101.28 214.45.101.28 netmask 255.255.255.255 0 0

static (bCat,outside) 214.45.102.32 192.168.15.220 netmask 255.255.255.255 0 0

static (bCat,outside) 214.45.102.31 192.168.15.36 netmask 255.255.255.255 0 0

conduit permit tcp host 10.1.1.30 eq 10000 214.45.101.0 255.255.255.0

conduit permit udp host 214.45.101.22 eq snmp host 214.45.100.1

conduit permit udp host 214.45.101.22 eq snmptrap host 214.45.100.1

conduit permit udp host 214.45.101.22 eq syslog host 214.45.100.1

conduit permit udp host 214.45.101.22 eq syslog host 209.108.220.54

conduit permit tcp host 10.1.1.30 range 24001 24100 214.45.101.0 255.255.255.0

conduit permit udp host 10.1.1.30 range 24001 24100 214.45.101.0 255.255.255.0

conduit permit tcp host 214.45.101.8 eq www any

conduit permit tcp host 10.1.1.9 eq sqlnet host 214.45.101.30

conduit permit tcp host 214.45.101.31 eq pop3 any

conduit permit tcp host 214.45.101.31 eq www any

conduit permit tcp host 10.1.1.13 eq 1433 214.45.101.0 255.255.255.0

conduit permit tcp host 10.1.1.9 eq 1433 214.45.101.0 255.255.255.0

conduit permit tcp host 214.45.101.8 eq smtp object-group SMTP-to-Exchange-Server

conduit permit tcp object-group TS-Servers eq 3389 any

conduit permit tcp object-group TS-Servers eq www any

conduit permit tcp object-group WWW-Servers eq www any

conduit permit tcp object-group WWW-Servers eq https any

conduit permit tcp object-group FTP-Servers eq ftp any

conduit permit tcp host 214.45.102.31 eq smtp object-group SMTP-to-Exchange-Server

conduit permit tcp host 214.45.102.31 eq pop3 any

conduit permit tcp host 214.45.102.31 eq 3389 214.45.100.0 255.255.255.0

conduit permit tcp host 214.45.102.31 eq 3389 214.45.101.0 255.255.255.0

conduit permit tcp host 214.45.102.31 eq https any

conduit permit tcp host 214.45.102.31 eq www any

route outside 0.0.0.0 0.0.0.0 214.45.100.1 1

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎05-02-2005 04:58 PM

Conduits and statics are needed for traffic from a lower-security interface to a higher. In your case you would need a static between the bcat and dmz interfaces. If you don't want to actually NAT any of the traffic, so the people on the bcat interface reference the actual web server's IP address rather than a NAT'd one, use the following command:

static (DMZ,bCat) 214.45.93.0 214.45.93.0 netmask 255.255.255.0

I'm a little confused though by your IP address. The DMZ interface has a 214.45.101.x IP address, yet you say the web server is on a 214.45.93.x address. If this is correct, then the static above is still OK, but you would need a route statement to the 93 subnet, something like:

route DMZ 214.45.93.0 255.255.255.0 214.45.101.x

where "x" is the next-hop address to the 93 subnet.

You then also need a conduit allowing traffic from the bCAt to the DMZ addresses as normal.

0 Helpful

joneschw1
Level 1
Level 1
In response to gfullage

‎05-02-2005 05:25 PM

Sorry about the typo. The DMZ is 214.45.101.0/24. As a result, I believe it would be:

static (DMZ,bCat) 214.45.101.0 214.45.101.0 netmask 255.255.255.0

I have another question though.

Would this cause problems with xlate since hosts in my dmz get IP addresses from the 214.45.101.0/24? I do not do a nat between a public and private range for the DMZ. I just have public ips natting to themselves. As a result, I already basically have the command:

static (DMZ,outside) 214.45.101.0 214.45.101.0 netmask 255.255.255.0

Would the 2 commands conflict with each other since I have static mappings of the same entire subnet on 2 different interfaces? Thanks for the help.

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to joneschw1

‎05-02-2005 09:14 PM

No this is OK because both of those commands tell the PIX that the 214.45.101.0 subnet resides on the DMZ interface. All they mean is that between the DMZ and the outside/bCat int's there'll be no NAT'ing going on.

What you can't have is something like this:

static (bCat,outside) 214.45.101.0 214.45.101.0 netmask 255.255.255.0

static (DMZ,outside) 214.45.101.0 214.45.101.0 netmask 255.255.255.0

because that tells the PIX that the 214.45.101.0 subnet resides on the bCat AND the DMZ interfaces, and if a packet destined for those addresses come in from the outside, the PIX won't know which interface to send it onto.

0 Helpful
Customers Also Viewed These Support Documents