I have a PIX with 6 ifs. An inside, outside and 4 DMZs. Apart from my previous post (Netware server in DMZ) I have a major problem with NATing. I want users on the inside network to NAT when going outside but not when accessing any of the DMZs, in particular DMZ1 which has DNS server and E-mail server. At the moment E-mail is taking ages to send/receive and I think this is due to NATing. My config is similar to the following:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ehternet2 dmz1 security10
nameif ethernet3 dmz2 security15
global (outside) 1 x.y.201.4 - x.y.201.20
global (outside) 1 x.y.201.3
global (dmz1) 1 a.b.200.40
global (dmz2) 1 172.16.22.32
nat(inside) 1 172.16.0.0 255.255.0.0 0 0
nat (dmz1) 0 a.b.200.0 255.255.255.0 0 0
nat (dmz2) 0 172.16.22.0 255.255.255.0 0 0
static (dmz1,outside) a.b.200.2 a.b.200.2 netmask 255.255.255.255 0 0
static (dmz1,outside) a.b.200.4 a.b.200.2 netmask 255.255.255.255 0 0
conduit permit ip host a.b.200.2 any
conduit permit ip host a.b.200.4 any
The reason for the above conduit commands is that the DNS and E-mail server have public IPs and so go straight through without NAT. My inside network is split into a number of different subnets, i.e. 172.16.1.0 (255.255.255.0) , 172.16.2.0 etc up to 172.16.18.0
Can I get these networks to NAT for outside access but not when accessing the DMZs?
Thanks in advance,
Jeff.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ehternet2 dmz1 security10
nameif ethernet3 dmz2 security15
global (outside) 1 x.y.201.4 - x.y.201.20
global (outside) 1 x.y.201.3
global (dmz1) 1 a.b.200.40
global (dmz2) 1 172.16.22.32
nat(inside) 1 172.16.0.0 255.255.0.0 0 0
nat (dmz1) 0 a.b.200.0 255.255.255.0 0 0
nat (dmz2) 0 172.16.22.0 255.255.255.0 0 0
static (dmz1,outside) a.b.200.2 a.b.200.2 netmask 255.255.255.255 0 0
static (dmz1,outside) a.b.200.4 a.b.200.2 netmask 255.255.255.255 0 0
conduit permit ip host a.b.200.2 any
conduit permit ip host a.b.200.4 any
The reason for the above conduit commands is that the DNS and E-mail server have public IPs and so go straight through without NAT. My inside network is split into a number of different subnets, i.e. 172.16.1.0 (255.255.255.0) , 172.16.2.0 etc up to 172.16.18.0
Can I get these networks to NAT for outside access but not when accessing the DMZs?
Thanks in advance,
Jeff.