Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT problem

Status
Not open for further replies.
PIXFirewall

PIXFirewall

IS-IT--Management
Mar 13, 2003
14
IN
Hi folks!

The following is my network:

Internet
|
PIX --- DMZ---Cisco3640--Pvt WAN Link----Cisco 3640---Host
|
Server Zone


To ensure that I make some servers available on the Internet and across the WAN Link, I advertize the servers on the DMZ and Intrnet using Static command.

These servers also have to initiate connection to Replication servers, one on the Internet and the other on the other end of the WAN link. for this I need to use the NAT commnad.

i.e.

if x.x.x.x/27 is my Server IP (inside)
and y.y.y.y/24 is the DMZ zone
and z.z.z.z/24 is the Internet zone (outside)


then I need to nat for each zone as the routes are different to reach diffrent servers.

global (outside) 1 z.z.z.10
global (dmz) 2 y.y.y.10
nat (inside) 1 x.x.x.x 255.255.255.255
nat (inside) 2 x.x.x.x 255.255.255.255

In effect, I want to NAT the same IP to diffrent DMZs as diffrent GLOBAL ips. I am getting a Duplicate NAT entry. How do I overcome this ?

Any help on this is appreciated. Thanks.
 
Sort by date Sort by votes
HI.

You might need to use the same NAT ID number for all, like this:

global (outside) 1 z.z.z.10
global (dmz) 1 y.y.y.10
nat (inside) 1 x.x.x.x 255.255.255.255

But I didn't get the exact picture.
Are you using STATIC or NAT?
For static mapping of single IP address like servers (mask 255.255.255.255) you normaly use STATIC and not NAT.

Try to rephrase your scenario.



Yizhar Hurwitz
 
Upvote 0 Downvote
I agree with yizhar, it is better to use static if you are to use only one ip address. My proposal is:

static (inside, outside) z.z.z.10 x.x.x.10 netmask 255.255.255.255
static (inside, dmz) y.y.y.10 x.x.x.10 netmask 255.255.255.255

Notice that the syntax is peculiar:
static (source-interface, dest-interface) dest-ip source-ip

Do not forget to open traffic with the corresponding access-lists applied to outside and dmz interface.

Regards,

Diego.
 
Upvote 0 Downvote
Let me clarify my problem.

I have a PIX with THREE interfaces. I have named them as OUTSIDE, DMZ and INSIDE in ascending security order.

All my servers are on the INSIDE interface and all my PCs on the LAN are on the DMZ interface.

With the STATIC command, I publish my WEB and MAIL servers on both the OUTSIDE and DMZ interface (with the help of appropriate ACCESS LISTS).

Also, my MAIL SERVER replicates with TWO other MAIL SERVERS, one on the DMZ (Branch Office) and one OUTSIDE (Internet). I use the above as a DRP strategy. For this my MAIL Server in the INSIDE interface needs to initiate connection with the other TWO servers. For this, I use the NAT command with the help of an appropriate GLOBAL command.

But, I have noticed that the entire setup works well for sometime (around 5 minutes). i.e. all the servers are able to communicate with each other and all users are able to access the Mail Server on the DMZ zone.

Then, the network (PIX) goes into a hang. The users are not able to access the server. I use the CLEAR XLATE command and then everything is back to normal..... for 5 mins. There are enough KEEPALIVEs on the Server's configuration file. Besides, when I keep both the SERVER and the users on the DMZ zone without the help of STATIC command, everything works normally. The PIX does not have any load as I have checked the same with SHOW MEM and SHOW CPU USAGE commands.

What am I missing ?
 
Upvote 0 Downvote
Is it just me who thinks that you have a very strange setup there? All your LAN PC's in the DMZ, what's all that about???
 
Upvote 0 Downvote
My definition of Zones / DMZ is as follows:

nameif ethernet0 outside security0 (Internet Zone)
nameif ethernet1 inside security100 (Server Zone)
nameif ethernet2 dmz security50 (LAN / DMZ Zone)

My objective is to give maximum security to the Server Zone which is on the INSIDE interface.

The STATIC command has opened up only the bare minimum ports (on to the DMZ and OUTSIDE interfaces) required for the associated "application access" with the corrosponding access-lists applied to the relevant interfaces. This ensures that one controls / audits (to a certain extent) the LAN Zone also with a certain degree of suspicion. DMZ Zone and LAN Zone are on physically different switches.

I am open to any suggestions add more security to the network. Please KEEP THEM COMING
 
Upvote 0 Downvote
I'm sure when setting up static NAT as you have done the internal server will appear on the DMZ or the outside networks as the IP address configured in the appropriate static.

The Cisco documentation says that connections initiated from inside to outside use the NAT and GLOBAL commands, no problem there. Also for connections initiated from the outside you use static and ACL entries.

But when you add a static command mapping an inside address to an outside address, you will find that an outgoing connection from that device will also use the static address, not one picked from the NAT/GLOBAL address pool. The clue to this is a brief statement in some documentation that the static and acl command combination punches a hole through the PIX. I checked this with an analyser to make sure.

Use the static commands and I'm sure you will get this to work.



 
Upvote 0 Downvote
Thanks. Your input is very interesting since my objective of choosing this approach was to have a fool-proof security. Very peculiar. Anyway, I will check the same myself with some Analysers..... Thanks again

I am using PIX version 6.2(2)
I am using STATIC for publishing the Server on both the DMZ and OUTSIDE with appropriate ACL entries. One of the Servers (the area that is giving problems)that uses this feature is the MAIL Server which uses the Lotus Domino platform. So the relevant entries in the ACL that are opened on both the DMZ and OUTSIDE are Lotus RPC (1352), HTTP (80) and HTTPS (443). The respective users from both the DMZ and OUTSIDE use one of these ports to access the server depending on whether the use a Lotus Notes client or Internet Browser. So far so good.

This server also needs to transfer information (route mails, replication, administrative requests etc.) with two other Lotus Domino Servers which are also in the same Notes domain. One of them is on the Internet (OUTSIDE) and the others on the other end of a VPN connected to the DMZ interface. These servers would use the same STATIC methods described above for the users to access the Mail Server on the INTERNAL interface through the Lotus RPC port which is anyway opened on the respective interfaces.

This Mail Server on the INTERNAL interface would also initiate a session with the other two servers for administrative requests, replication etc on port 1352 to the other two interfaces. This can be done only through NAT / GLOBAL (or is there any other method)

Awaiting your observations on the above
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
329
intel233
intel233
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
73
steve777777
steve777777
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
79
ITSUPPORTIT
ITSUPPORTIT
wrighbr1
  • Locked
  • Question
Cisco ASA 5505 site to site VPN problem
Replies
0
Views
61
wrighbr1
wrighbr1
mattbarkerlfc
  • Locked
  • Question
Checkpoint 2200 subnet overlap problem
Replies
0
Views
76
mattbarkerlfc
mattbarkerlfc

Part and Inventory Search

Sponsor

Back
Top