Solved

IP translate in Cisco PIX V5.1

Posted on 2002-06-10
17
196 Views
Last Modified: 2013-11-16
Hi,

Just a simple question

A server had an internal address, 10.10.1.10, move from LAN to DMZ with a new IP address, 203.198.23.108
For some reason, the LAN users require to access the server by both the new IP(10.10.1.10) and original IP(203.198.23.108)
I am not sure if alias work because it seems will overlap either one.

thx for help
0
Comment
Question by:percy_k
  • 7
  • 6
  • 4
17 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7068451
If 10.10.1.x is the network on the inside LAN, and the server has been moved with a new IP address of 203.198.23.108, then not even alias will allow you to refer to that server by two different IP addresses.

IF that server has a new private IP address in the DMZ, example: 192.168.1.108, and there was a static translation setup:
static (DMZ,outside) 203.198.23.108 192.168.1.108 netmask 255.255.255.255

Then, you could use the alias command to refer to the server by either its real ip address or its ourside ip address.

0
 
LVL 2

Author Comment

by:percy_k
ID: 7068741
Thx for information, sorry I forgot to tell that the DMZ is No NAT.
I have a static translation for the server already:
static (dmz,outside) 203.198.23.108 203.198.23.108 netmask 255.255.255.255

All I want is allow the client using the old address (10.10.1.10) to access the server. What exactly I should type in for this?
Thx
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7068763
So the CLIENT is still on the old network and cannot access the server on the DMZ now?

Are you using access-lists or conduits?

you can use NAT 0 so that inside source packets don't get Nat'd over to the DMZ:

access-list NO_NAT permit ip 10.10.1.0 255.255.255.0 host 203.198.23.108

nat (inside) 0 access-list NO_NAT

Add an access-list entry or conduit inbound on the DMZ port:

access-list ACL_DMZ permit ip host 203.198.23.108 any
access-group ACL_DMZ in interface DMZ

0
 
LVL 2

Author Comment

by:percy_k
ID: 7068853
Yes the client already can access the server in the DMZ with the new IP address(203.198.23.108) I gave. However, I want the user still enable to access the server with the old IP (10.10.1.10).
0
 
LVL 2

Author Comment

by:percy_k
ID: 7068906
Yes the client already can access the server in the DMZ with the new IP address(203.198.23.108) I gave. However, I want the user still enable to access the server with the old IP (10.10.1.10).
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7069764
Sorry, no can do.
If the inside network is 10.10.1.x, the PIX will not pass a packet from one interface to the other if both source and destination networks are the same.
0
 
LVL 2

Author Comment

by:percy_k
ID: 7072213
Sorry maybe I mentioned not clear.

the PIX has 3 interface

WAN interface connecting to a T1 leasedline, network 203.198.23.96/28 with 14 researved IP  

LAN interface connecting to LAN with the network 10.10.1.0/24

DMZ interface connecting to DMZ with NO NAT, network  203.198.23.104/29

As you see DMZ and LAN are not the same. I just want the PIx can redirect the packet for 10.10.1.10 from LAN to a dedicated server in DMZ

I am not good in PIX command but I think it just similar to setup PAT but interface reversed from high to low security.

Glad if any expert can advise me.



0
 
LVL 1

Expert Comment

by:Chriskohn
ID: 7074161
Hello percy k:
Irmoore is correct in almost all stated, however to allow passage of traffic from your inside LAN host 10.10.1.x to the Server in the DMZ at the IP address 10.10.1.10 simply add the command: static (inside,dmz)10.10.1.10 10.10.1.10 netmask 255.255.255.0
This should correct your problem, as long as there is a permit in your access-control list or outbound permit on your inside Ethernet for the 10.10.1.x host/s to enter the Ethernet. Also recommend using the clear xlate command after applying all of these commands, before testing. Hope this helps, Chriskohn
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 1

Expert Comment

by:Chriskohn
ID: 7074165
Hi again percy k:
nearly forgot in my last suggestion entry, you'll need to  put 0 0 after the 255.255.0.0 in that static translation statement. Cheers, Chriskohn
0
 
LVL 2

Author Comment

by:percy_k
ID: 7074465
Thx Irmoore and Chriskohn.

Well for the command,
static (inside,dmz)10.10.1.10 10.10.1.10 netmask 255.255.255.0 0 0

I am sure it would work if I it just use the IP 10.10.1.10

The reason I place the server to DMZ was because I need to give it a real IP for web access. That's why it changed to 203.198.23.108

The problem is how to give this server(203.198.23.108)another identity in LAN (10.10.1.10)

The goal is
This server can be access by 203.198.23.108 from Internet.
And can be access by both 203.198.23.108 and 10.10.1.10 from LAN.

Thx a lot!

0
 
LVL 1

Expert Comment

by:Chriskohn
ID: 7076531
Hi again percy k:
Did you try it? I currently have this config working, on a mail server in a dmz. Works just fine with both static translations, etc. Chriskohn
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7076636
Now I understand what you're trying to do an I think Chriskohn has the right idea, but I think this might work better creating a static NAT map:

static (inside,dmz)203.198.23.108 10.10.1.10 netmask 255.255.255.255
0
 
LVL 1

Expert Comment

by:Chriskohn
ID: 7076846
Hi again percy k:
You need to have both static translations, one says make the server in the dmz at 10.10.1.10 appear as 203.198.23.108 when seen from the outside interface, this is the command Irmoore suggested:
 static (dmz,outside) 203.198.23.108 10.10.1.10 255.255.255.255.
The other says when viewed from inside keep the 10.10.1.10 (internal,private) address for the server, and this is the command I suggested:

 static (inside,dmz) 10.10.1.10 10.10.1.10 netmask 255.255.0.0 0 0 .

 Now if you wish to have both the public and the private IP addresses on the server available to the inside users, I would think you could try adding a third static since you can't have two statics applied the same way (ie inside,dmz with different addresses), try this in addition to the above:
 static (dmz,inside) 10.10.1.10 203.198.23.108 netmask 255.255.255.255.
Suggest also a permit in the access-control or outbound permit for 10.10.1.x to get to 203.198.23.108 if you don't already have it, and clear xlate again....
Sorry all, I didn't realize before that you wanted to reach both addresses from inside, I thought you just wanted to see the server from inside and outside as different (this being the usual implementation with a dmz). Hope this helps. Chriskohn
0
 
LVL 2

Author Comment

by:percy_k
ID: 7077795
Oh my god...
I know my english is poor but I doesn't noice that it really that worst..but I am really appreicate you guy's advise.
1.
*******************************************************
one says make the server in the dmz at 10.10.1.10 appear
as 203.198.23.108 when seen from the outside interface, this is the command Irmoore suggested:
static (dmz,outside) 203.198.23.108 10.10.1.10 255.255.255.255.
The other says when viewed from inside keep the 10.10.1.10 (internal,private) address for the server,
and this is the command I suggested:

static (inside,dmz) 10.10.1.10 10.10.1.10 netmask 255.255.0.0 0 0 .
*******************************************************

Sorry it is impossible. As I told in my last last post, the DMZ interface are NOT NAT. The IP address I reserved for servers in DMZ are all true IP. Therefore, it is not possible to left the server in DMZ with the ip address
10.10.1.10
Again, the server IP is 203.198.23.108 only. Which has a static route in PIX to allow access from outside:
static(dmz, outside) 203.198.23.108 203.198.23.108 netmask 255.255.255.255


2.
*******************************************************
Now if you wish to have both the public and the private IP addresses on the server available to the
inside users, I would think you could try adding a third static since you can't have two statics applied
the same way (ie inside,dmz with different addresses), try this in addition to the above:
static (dmz,inside) 10.10.1.10 203.198.23.108 netmask 255.255.255.255
*******************************************************

the command is invalid. This is what I tried before I post this question.
static command is not allow from high security level(Inside) to low security level (DMZ)
Cisco offical command reference instruct than it should be get use of command NAT, and it drive me nearly mad.
(http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/commands.htm#xtocid2254182)

The goal is
1. The server connecting in DMZ using IP address 203.198.23.108
2. Outside can access the server at 203.198.23.108
3. LAN can access the server at both 203.198.23.108 and 10.10.1.10



Wish it could help

Thanks million!!!!!
0
 
LVL 1

Expert Comment

by:Chriskohn
ID: 7078534
Okay percy k:
sorry if I wasn't of assistance or misled you in any way.
Good luck on you problem. Chriskohn
0
 
LVL 1

Accepted Solution

by:
Chriskohn earned 120 total points
ID: 7078552
percy:
Here is a last suggestion that may help, you could check out this link:
http://www.cisco.com/warp/public/707/28.html#in-out2
Cheers, Chriskohn
0
 
LVL 2

Author Comment

by:percy_k
ID: 7082745
Thx Chriskohn.
Your link solve my problem. And sorry that I didnt note Outside NAT "static (inside, outide)" are available since PIX verison 6.1 (I am using 5.2 now and that's why I said it couldn't work)
Even the problem still there, I am have the direction to concern about upgrade the PIX fireware instead of get crazy about the command syntax.
Thx
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now