NATing on DMZ

[draum]

I have a PIX515 with three interfaces (inside,outside,dmz) -- all the interfaces are working properly with outbound and inbound connectivity, but any connections that come into the DMZ (from inside or outside) get NAT'ed with the DMZ's interface address. I'm pretty sure the culprit is when I put the DMZ interface into the Global PAT pool (see config snip below)

However, if I remove that command, I am not able to get connectivity from the inside interface to the DMZ interface to work properly.

global (outside) 1 interface
global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

Any thoughts?

 

[Iota]

Yes, you are correct.
global (dmz) 1 interface
is the culprit.

Check your security levels on each interface. The DMZ security level needs to be lower than the inside but higher than the outside.

Typically, the security levels are:
outside 0
dmz 50
inside 100

If security levels aren't your problem, consider C&P's your config, minus the passwords and your 'real' (outside) ip addresses.

Iota

 

[ChrisAC]

What do you have in your DMZ. It's more usual to do static mappings for servers that are accessible from the internet. You would have a private IP to global IP NAT for each server (like smtp, web and ftp servers) and then do NAT on the inside network with a global outside address and a global DMZ address.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[draum]

Thanks for the suggestions.

I am already using statics for the DMZ hosts, which is working well. Are you saying I would need a global and nat command for each DMZ host as well?

e.g. global (dmz) 5 <outside-ip-1>
global (dmz) 6 <outside-ip-2>
nat (dmz) 5 <dmz-ip-1>
nat (dmz) 6 <dmz-ip-2>

Below is a larger snippet of my config -- not sure if that will shed any more light on this:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security75

access-list acl-prod permit tcp any host xxx.xxx.xxx.2 eq www
access-list acl-prod permit tcp any host xxx.xxx.xxx.3 eq dns
access-list acl-prod permit tcp any host xxx.xxx.xxx.50 eq ftp
access-group acl-prod in interface outside

ip address outside xxx.xxx.xxx.1 255.255.255.0
ip address dmz 10.0.0.1 255.255.255.0

global (outside) 1 interface
global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

alias (inside) xxx.xxx.xxx.2 10.0.0.2 255.255.255.255
alias (inside) xxx.xxx.xxx.3 10.0.0.3 255.255.255.255
alias (inside) xxx.xxx.xxx.50 10.0.0.4 255.255.255.255

static (dmz,outside) xxx.xxx.xxx.2 10.0.0.2 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.3 10.0.0.3 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.50 10.0.0.4 netmask 255.255.255.255 0 0

Thanks for all your help!

-Doug

 

[ChrisAC]

If all your hosts on the DMZ are subject to static NAT then you don't need the command:

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

This basically says NAT everything that comes from this interface. However, you have alreay done static NAT translations for all your servers:

static (dmz,outside) xxx.xxx.xxx.2 10.0.0.2 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.3 10.0.0.3 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.50 10.0.0.4 netmask 255.255.255.255 0 0

The &quot;global (DMZ) 1 interface&quot; command is for hosts that are coming from the inside network and are part of NAT group 1. They will be NATed to the DMZ interface address but your servers will still be subject to the static NAT statements.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************