PIX 515e and NAT0

[bjohnsonvb]

We are new to PIX firewalls and are trying to setup a 515e with 4 interfaces: Inside, outside, DMZ & a Partner. We currently have it working by using NAT1 (PAT) to each interface from the inside interface. We've read and would like to use NAT0 (not translate) to the DMZ and Partner from the inside.
We've updated the IOS to 6.2 and the PDM to 2.0 (the newest for each). This firewall connects to our current firewall via the partner network using a registered address. We are using private addressing on the inside.
Any suggestions on how we can use NAT0 on the inside to DMZ and inside to partner? Or are we trying to make the PIX do something difficult to setup and manage?

Thanks in advance,

 

[yizhar]

HI.

A more detailed and specific network info about your network will be helpful to understand your scenario.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[bjohnsonvb]

Yizhar,

Here is the config, I had to change our addresses to please our security officer but the "private address config" has the same meaning.

PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security40
nameif ethernet3 partner security60

hostname PIX62
domain-name xyz.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.10.3 DMZ-WebServer

access-list acl_dmz permit tcp any host DMZ-WebServer eq www
access-list inside_access_in permit ip 192.168.2.0 255.255.255.0 host DMZ-WebServer
access-list inside_access_in permit icmp any any
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list acl_dmzTOinside permit ip host LRMS-WebServer any
access-list partner_access_in permit ip 192.168.4.0 255.255.255.0 192.168.2.0 255.255.255.0
no pager
logging on
logging timestamp
logging buffered debugging
logging trap debugging
logging host partner 192.168.3.9
interface ethernet0 10baset
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu partner 1500
ip address outside 192.168.9.1 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
ip address dmz 192.168.10.1 255.255.255.0
ip address partner 192.168.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
failover ip address partner 0.0.0.0
pdm logging debugging 100
pdm history enable
arp timeout 14400

global (outside) 1 interface
global (dmz) 1 interface
global (partner) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.2.0 255.255.255.0 0 0

static (dmz,outside) DMZ-WebServer DMZ-WebServer netmask 255.255.255.255 0 0
static (inside,partner) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0 0
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0 0

access-group acl_dmz in interface outside
access-group acl_dmzTOinside in interface dmz
access-group partner_access_in in interface partner

route outside 0.0.0.0 0.0.0.0 192.168.9.1 1
route partner 192.168.4.0 255.255.255.0 192.168.3.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community opensaysme
no snmp-server enable traps
floodguard enable
no sysopt route dnat

 

[yizhar]

HI.

**
First of all - what is the purpose of using nat 0 in your case - what are you trying to gain? and do you need this benefit both for DMZ and for partner?
You should remember that most harmful attacks come from internal users, so you can and should minimize the risks.

**
> access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
> nat (inside) 0 access-list inside_outbound_nat0_acl

This seems to be OK if you want nat 0, but when using nat 0 you should also reconfigure routing as needed (a route at the partner router/firewall that will point to your pix interface to get to inside network.

**
> access-list acl_dmzTOinside permit ip host LRMS-WebServer any
This seems very wrong, unless you really need the web server to INITIATE connection to internal network.
If this is a "normal" web server that only responds to clients, then there is no need for that ACL as the pix ASA (statefull) logic will take care of it.
If you keep this entry, then what's the point of DMZ???

**
My suggestions - use nat 1 as before.
If you have internal servers that need to be accessed from partner, use STATIC for that purpose.
If partner needs access to DMZ, add a nat 1 (or better nat 2 with additional global 2 statement were needed) to the DMZ interface. Using a different nat id for partner will help you control or prevent Internet access from partner.

Correct me if I did not understand your scenario.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar