Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515E 6 interfaces - public IP on DMZ translation

Status
Not open for further replies.
wwwmario

wwwmario

Technical User
Aug 18, 2002
17
IT
Hello,

I recently switched our company firewalling system from FW-1 to Cisco PIX.

Coming from that platform and not being a PIX Os cli guru,
I went for PDM config (bleaaaaargh - I think that is messing up conf...).

Our system has 6 interfaces, of which 5 are used:
inside/outside/pub-dmz/prod-dmz/proj-dmz
DMZs differs for inbound services allowed and they're all
using a public class.

Here's the relevant parts of the running conf that show how whatever hosts on whatever DMZs should have its IP unchanged:

(omitted)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 pub-dmz security20
nameif ethernet3 prod-dmz security40
nameif ethernet4 proj-dmz security60
(omitted)
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (pub-dmz) 0 0.0.0.0 0.0.0.0 0 0
nat (prod-dmz) 0 0.0.0.0 0.0.0.0 0 0
nat (proj-dmz) 0 0.0.0.0 0.0.0.0 0 0
(omitted)

Everything works fine, except that I have a problem with IP address translation for just 1 host residing in the prod-dmz.
The webserver is serving http/https and was reported not to be accessible from the outside.
I checked the logs and discovered that the PIX was complaining about the lack of translation groups for that host.
Now, since this problem hasn't arose on hosts in the pub-dmz (same services); and the pub/prod-dmzs share the same nat 0 command, why had I got to specify a "static (prod-dmz,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0" for that single host to have things work??

Thanks in advance for any help.

Cheers,

/Mario

 
Sort by date Sort by votes
You will also need static translations for all servers accessed from the outside. Here´s why it is working... if a server on the prod-dmz initiates a connection to the outside then it creates translation on the PIX´s xlate entry and if an ACL permits inbound traffic then outside users can access this server. It behaves like a static translation as long as the prod-dmz server initiates a connection to the outside. A static translation on the other hand does not have this limitation, an outside user can access the server as long as the ACL allows it regardless if the server initiates a connection to the outside or not. I would advise you to configure a static translation for the public servers.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
290
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
256
XLNTech1
XLNTech1
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
304
Johnkite
Johnkite
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
102
kythri
kythri
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
92
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top