Multiple NAT problem with DMZ

mshah2005 · ‎02-02-2005

I am trying to place public servers such as Web Server, DNS Server and Outside Mail Server in dmz zone using separate dmz interface for each one. I was able to put Web Server successfully in DMZ using static nat. But when I tried putting other servers like DNS and Mail Server using static nat, I couldn’t get addresses translated from dmz interface to outside interface.

Inside network: 10.8.0.0/20

Outside network: 63.127.167.192/27

Web-dmz1: 192.168.0.0/24

Dns-dmz2: 192.168.1.0/24

Mail-dmz3: 192.168.2.0/24

I have attached the current running configuration from Cisco PIX 515E.

Current status: Inside network is behind firewall and is PATed. Web Server is placed in DMZ zone and outside people can access it, but not internally.

Is there problem using multiple static nat's?

Also i tried with nat and global commands but no luck...

I would appreciate if anyone could help me in this problem.

Thanks,

Mayur Shah

Network Analyst

thisisshanky · ‎02-02-2005

Mayur,

To permit access to the DNS and mail servers using the public IP's you have statically allocated, you will need to permit the required ports (DNS - udp 53 and Mail - SMTP, POP and also web (for OWA if needed). Currently you do have an ACL which permits web access to the web-dmz.

People in the inside network wont be able to reach the web server using the public DNS name, as it translates to .167.207 address and the PIX has a mapping for .167.207 to .0.11 address only if the packet comes from the outside interface. Probably you may be able to fix this by,changing your local DNS server entry for the web server to 192.168.0.11

HTH

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus