NAT-Issue with PIX

[martinp05]

Hello!

I have to solve the following problem.

On the 520er PIX i have several interfaces. Behind the DMZ-Interface i have an webserver with a private ip (citrix secure gateway). This server is available in the public internet (static on the pix).

From the INSIDE-Interface we want to use this Server for Citrix-access. When i resolve this server from the INSIDE-LAN i get the public ip for this server.

The problem is (i think), that the request to this server goes out of the pix to the internet, and then goes back to the pix to the dmz-interface...And this will not work.

My idea is, to make a nat for the puplic ip, when the request comes from the INSIDE-LAN. This nat should transfer the public-ip to the private-ip of the server located in the dmz.

I think i will not need an static, because the access goes from the higher sec-level (inside) to the lower-level (dmz).
I need to nat a pubip to an private ip from an higher sec-level to an lower-level.

But what can i do??

Martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator

 

[tbissett]

It depends on the version of your PIX OS. Newer versions (6.3(3) I think) allow you to use the static command to map from higher to lower. In addition to:
static (dmz,outside) <outside ip> <dmz ip>

add the following to map the public IP to your internal network:
static (dmz,inside) <outside ip> <dmz ip>

If that does not work, try the alias command (which was for older PIXes). On this command, it's better to simply read about it at:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

Hope this helps!

 

[martinp05]

hello,

thank you for your help, the static did it.

martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator