NAT Issues in DMZ

[draum]

I have a PIX 515 with outside, inside and DMZ interfaces. Inside the DMZ, I have two FTP servers. Right now, I have connectivity all around and everything is working just dandy, with one exception: my FTP logs only ever show connections from the DMZ IP address (10.1.1.1). Every inbound connection appears to be coming from 10.1.1.1. This causes some major issues with reporting and transfer tracking.

Here's how it's configured:

global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) FTPSERVER1 10.1.1.4 255.255.255.255
alias (inside) FTPSERVER2 10.1.1.5 255.255.255.255
static (dmz,outside) FTPSERVER1 10.1.1.4 netmask 255.255.255.255 0 0
static (dmz,outside) FTPSERVER2 10.1.1.5 netmask 255.255.255.255 0 0

Any ideas how to fix this? My best guess was to remove the global (dmz), but that cuts off communications from my inside interface.

What have I mucked up here?

Thanks.

 

[phima]

Hi,

As your configuration shows, everyone uses nat on the inside interface. To avoid internal users to use nat, let's use the nat 0 acess-list command.

I.E, if your internal network is 172.16.0.0/16 :

access-list nonat permit ip 172.16.0.0 255.255.0.0 host ftpserver1
access-list nonat permit ip 172.16.0.0 255.255.0.0 host ftpserver2
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.0.0 255.255.0.0

Anyway, users connecting your server form the outside interface should be viewed with their public IP address.

Hope this helps.
Phil.