What is DMZ Zone?
A Demilitarized Zone (DMZ) is a network segment that is separated from other networks. Majority of organizations use DMZ to separate their Local Area Networks (LAN) from the Internet. This provides additional security between the corporate network and public Internet. It can also be used to separate one particular machine from the rest of a network, moving it outside of the protection of a firewall.
In Majority of organization internet facing servers are placed in DMZ.
Majority of times Honey Pots are deployed in DMZ. These Honey pots are used for attracting attackers so that the information gathered through logs is used for research purposes.
Core issue
Two different hosts from the inside network wants to connect a server on the Demilitarized Zone (DMZ), but one host uses the real private IP address of the DMZ server to connect and the other host uses a public IP address of the DMZ server.
The server is located on the Demilitarized Zone interface of the PIX firewall and must be accessed from the inside with its NATted (Public) and unNATted (Private) IP addresses.
Resolution
The required functionality can be achieved with the combination of these natting concepts:
- Destination Network Address Translation (DNAT)
- Policy NAT
Destination NAT:
In DNAT, the PIX changes the destination IP of an application call from one IP address to another IP address.
Refer to Destination NAT section of ASA/PIX perform DNS Doctoring with the static commenad and Three NAT interfaces configuration Example for more information about DNAT.
Policy NAT:
Policy NAT allows for the identification of local traffic for address translation through the specification of the source and destination addresses, or ports, in an access list.
Refer to the Policy NAT section of Establishing Connectivity. for more information on how to configure the Policy NAT on the PIX.