Problem with multiple DMZs and NATs

[JeffCisco]

I have a PIX with 6 ifs. An inside, outside and 4 DMZs. Apart from my previous post (Netware server in DMZ) I have a major problem with NATing. I want users on the inside network to NAT when going outside but not when accessing any of the DMZs, in particular DMZ1 which has DNS server and E-mail server. At the moment E-mail is taking ages to send/receive and I think this is due to NATing. My config is similar to the following:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ehternet2 dmz1 security10
nameif ethernet3 dmz2 security15

global (outside) 1 x.y.201.4 - x.y.201.20
global (outside) 1 x.y.201.3
global (dmz1) 1 a.b.200.40
global (dmz2) 1 172.16.22.32

nat(inside) 1 172.16.0.0 255.255.0.0 0 0
nat (dmz1) 0 a.b.200.0 255.255.255.0 0 0
nat (dmz2) 0 172.16.22.0 255.255.255.0 0 0
static (dmz1,outside) a.b.200.2 a.b.200.2 netmask 255.255.255.255 0 0
static (dmz1,outside) a.b.200.4 a.b.200.2 netmask 255.255.255.255 0 0

conduit permit ip host a.b.200.2 any
conduit permit ip host a.b.200.4 any

The reason for the above conduit commands is that the DNS and E-mail server have public IPs and so go straight through without NAT. My inside network is split into a number of different subnets, i.e. 172.16.1.0 (255.255.255.0) , 172.16.2.0 etc up to 172.16.18.0

Can I get these networks to NAT for outside access but not when accessing the DMZs?

Thanks in advance,

Jeff.

 

[xlee]

try this:
static (inside, dmz1) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0

Should be the same for the other dmz....just change the dmz number.

 

[webnetwiz]

Why don't you want them to NAT to the DMZ? Think about this scenario - when a user contacts the email server in order to send the message, the server records the IP address of the user, in your case, it would be the real IP of your client behind the "inside" interface. Essentially, your users are sending out their real IP addresses embedded into the message header. If you NAT to the DMZ, then the user comes in with a NATted IP that's a dynamic translation built by the PIX, so everytime they send an email, it a temporary IP address on the same subnet as your email server, so you're not compromising your inside network, which is the core of your security policy.

I treat every DMZ as a separate network, and security policies differ for each one. I don't have a single statement that would allow any kind of static access to the inside. To my public servers like email and www, the users from inside network seem to come from the same subnet as the public servers (except outside to DMZ). Even if this puts more strain on my PIX, I don't worry too much cause I maxed out the RAM and Flash, and I paid to get the device to do what I need it to do.

In regards to DNS, why don't you setup an internal DNS box, that would only resolve queries locally and for outside access. This seems wierd to have multiple DNS boxes, but really how many resources does a DNS box needs? Not too many. I have a separate DNS server for all the DMZs that need access to the net, plus a separate DMZ for my publically registered DNS servers. This way if I have a failure, it's easier to identify and troubleshoot.

David.