Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT inside -> dmz(s)

Status
Not open for further replies.
pixboy

pixboy

MIS
Nov 21, 2001
153
0
0
US
We have a Pix 520UR with 6 interfaces. Right now, I've got it confiugred as outside, inside, dmz1, dmz2 and dmz3. (I have dmz4 named, and configured with 10.99.99.99 netmask 255.255.255.255 because I don't use it.)

ip address outside aaa.bbb.ccc.2 255.255.255.128
ip address inside 10.1.3.1 255.255.255.0
ip address dmz1 10.1.2.1 255.255.255.224
ip address dmz2 10.1.2.65 255.255.255.224
ip address dmz3 10.1.4.1 255.255.252.0
ip address dmz4 10.99.99.99 255.255.255.255

Whenever I connect to something in dmz3, I show up as 10.1.4.3 (the global for that dmz). I'd love to have connections coming from the inside interface (where our workstations are) to dmz3 done without any NAT. However, in playing with this on dmz4, I couldn't get it to work unless I set up both NAT and global for dmz4. Is what I'm trying to do possible? This becomes important if I place a large number of web sites in dmz3. I want those machines to be able to individually identify users coming from the inside interface, not lump them together.

In case it helps:

global (outside) 1 aaa.bbb.ccc.3
global (outside) 1 aaa.bbb.ccc.127
global (dmz1) 1 10.1.2.4
global (dmz2) 1 10.1.2.70
global (dmz3) 1 10.1.4.3

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz2) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz3) 1 0.0.0.0 0.0.0.0 0 0

Thanks!

 
Sort by date Sort by votes
Hello

Maybe this helps U

access-list no-nat permit ip any host {webserver-ip}

nat (inside) 0 access-list no-nat

STOMII
 
Upvote 0 Downvote
Thanks for the info. Our Pix is currently on version 5.2(1), and we don't currently use access lists. (We use conduit commands instead.) Any danger in mixing these? And in your example, can you make {webserver-ip} an IP range such as 10.1.4.0 netmask 255.255.252.0? That would cover the entire dmz3 range.

And the access list you mention won't impact any settings that are associated with incoming (outside) traffic?

Thanks!
 
Upvote 0 Downvote
Hi

I think there should be no problem in useing ranges.
Mixing acl`s and conduit causes that u can not use the PDM any longer for config (only for monitoring). Using the CLI is ok.

CU
StomII
 
Upvote 0 Downvote
That should be fine, since we don't use the PDM anyway. Eventually, when I find the time and a really low amount of traffic (read: practically never), I'm planning to upgrade to the latest version of the Pix software. Hopefully, that'll happen in my lifetime ... :)
 
Upvote 0 Downvote
Well, it seemed to work OK for a little while. Then we started having major problems trying to get to one of the web servers in DMZ3. After trying to blame it on the application server platform, I finally removed the access-list and the NAT statements you suggested and ... things went back to normal. Any ideas as to what might be going wrong? I don't see anything in the syslog to indicate things being blocked.

Things seemed to be OK with one of the Solaris boxes that I was telnetting into in DMZ3, but this particular web server (Win2K) was having problems. Don't know if it'd make any difference, but the server in question has two NICs -- one in DMZ3 and one in the inside zone. The DMZ3 NIC is the primary one, as the inside one has no default gateway set at all.

Help!

 
Upvote 0 Downvote
HI.

**

Check for routing conflicts between the W2K server and the internal network of the pix.
Is there an overlap of subnets between pix internal network, and W2K server internal network?
Check with "tracert", "route print" and other.
Also try with a simple telnet or other service on the W2K server and connect from pix inside network to see what you get.
Try to add a "route" at the pix that will point to the W2K internal network - maybe the W2K sends packets with source address (in ip header or embedded in upper layer data) that is the internal address and not the one you are expecting?

**

After changing nat/global/static and other related settings, you should issue the command:

clear xlate

Note that this will clear all current active connections via the pix.

And sometimes you also need to clear arp tables on neighbor routers.

I don't know if it is related to your problem, but might be.

**

Try again to find the time for the OS upgrade. Maybe this will solve it and you'll get additional features.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
157
intel233
intel233
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
54
kythri
kythri
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
49
steve777777
steve777777
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
98
Sparrow4
Sparrow4
salanje87
  • Locked
  • Question
Block Broadcast storming.
Replies
3
Views
114
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top