Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
264
Views
5
Helpful
3
Replies

NAT from DMZ to outside

itomercateo
Level 1
Level 1

‎03-29-2005 11:24 PM - edited ‎03-09-2019 10:47 AM

Hi,

i need some help on PIX515e, which i'm quite a newbie on and i dont want to kill any running service ...

I need a kind of NAT from the DMZ to the outside.

There is one Mailer in the DMZ which has to bee seen on the outside with a fixed routable IP.

Should i use the nat or the static command for this ?

Can someone please tell me how to do this or where to RTFM ?

Thanks!

regards

Jörg

Labels:
0 Helpful
3 Replies 3

mhussein
Level 4
Level 4

‎03-30-2005 12:27 AM

Hello,

See the configuration example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

Basically, if the firewall is up and running, you would need to add 2 lines of configuration, a "static" command, and an access-list entry. From the example:

static (dmz,outside) 209.164.3.5 172.16.128.103 netmask 255.255.255.255

access-list smtp permit tcp any host 209.164.3.5 eq smtp

Where:

smtp= access-list name

209.164.3.5 = public ip address

172.16.128.103 = private ip address

Keep in mind that you need to find out the name of the access-list that is already configured on the firewall. The name of the access-list above just happened to be "smtp" - the name has no significance. To find out what the access-list name should be, check your firewall for a line similar to:

access-group acl_name in interface outside

Please let us know if that helped

Regards,

Mustafa

0 Helpful

itomercateo
Level 1
Level 1
In response to mhussein

‎03-30-2005 01:42 AM

Thanks for your answers.

I have seen this link you mention before, but i thought this example would only establish a portforwarding from the Outside to the machine in the DMZ.

Does this "static" command also means, that connects from the server in the DMZ to the Outside gets source nat ?

I mean, does the pix give every outgoing connection from this server the same (with "static" defined) source ip ?

regards

Jörg

0 Helpful

mhussein
Level 4
Level 4
In response to itomercateo

‎03-30-2005 02:23 AM

Yes, this is a one-to-one translation; connections from the server will be source nat'd.

Port forwarding is different, and can be configured:

static (dmz,outside) tcp 209.164.3.5 smtp 172.16.128.103 smtp netmask 255.255.255.255

Customers Also Viewed These Support Documents