Hosts on the Demilitarized Zone (DMZ) network need to pass traffic through the PIX Firewall to connect to devices on another DMZ network. For the purposes of this example, all devices on both of the DMZ interfaces need to use their native addresses.
Configure a static translation and access for the workstations on the DMZ to reach the other DMZ network.
Note: The static Network Address Translation (NAT) that is required is for the entire DMZ network with the highest security. The Access Control List (ACL) will not defer from the standard, but will be applied to the DMZ interface with the lowest security.
In this example, the DMZ with the higher security is called DMZ1 and its network will be 10.10.1.0. The DMZ with the lower security will be called DMZ2 and its network will be 10.10.2.0. All the traffic will pass between the two DMZ networks.
Issue the following commands to configure static NAT:
What the above statement is saying is that when traffic hits the PIX from DMZ2 and is destined for DMZ1's network (10.10.1.0), to translate that address to itself. Any traffic that passes through a PIX must be translated. To satisfy this requirement, configure the PIX to translate any address in this range to itself. This is a one-to-one translation. Because this example uses the same range twice, if traffic destined for 10.10.1.19 hits the PIX, when it is sent out of the DZ1 interface it will remain destined for 10.10.1.19. It does not reassign it a random IP address in the range.
The ACL to permit traffic from the DMZ2 network to the DMZ1 network must be configured. For the example, you will permit all traffic to pass between the two interfaces. However, this may not always be the best choice depending on the security policy you must follow. If you are in doubt on what to allow, it is best to allow only necessary traffic.
Issue the following commands to configure the ACL:
pixfirewall (config t)# access-list dmz2dmz permit ip any any pixfirewall (config t)# access-group dmz2dmz in interface DMZ2
After these commands have been issued, you should be able to pass the specified traffic. If there is any problem with passing traffic at that point, issue the clear xlate command.
Note: Issuing this command will temporarily drop active connections. It should re-establish within 10 seconds.
In the process of RMAing a 5508 that was running FTD code and wondering what the best way to replace it would be. The device was previously managed over a vpn tunnel and the management interface was used (used registration code and nat-id which I ha...
Hello Engineers and Professionals, I wonder Firepower can have multiple IPv4 pools for remote access VPN.I have one IPv4 pool for remote users, but I need different users account for vendors. For examples,Company Users: 192.168.1.20-192.168.1.20...
Hello. I know there's been plenty of topics regarding Windows based 802.1X computer authentication but none of them seem to provide an explanation for MacOS. I'm familiar with how 'user authentication' works on MacOS but struggling to understand...
I'm having some issues with Amp flagging some tmp files as malicious. I received 32 alerts from a single machine within an hour as Gen:Trojan.Heur.FU.RqZ@a0N@95j. The files are created by werfault.exe, which is a legitimate program. Werfault can run ...
Hi Do we have support for stateful failover of SITE to Site IPSEC tunnel on Multicontext mode.?I have pair of ASAs 5515-x with 9.8(2) i read the ASA Document...however still not clear. Guidelines for IPsec VPNsMulticontextContext Mode...