?
Solved

NAT for DMZ on PIX?

Posted on 2003-03-27
5
Medium Priority
?
496 Views
Last Modified: 2013-11-16
I have a cat 6509 swtich with 4 vlans
x.y.80.z
x.y.81.z
x.y.89.z
x.y.253.z

Cat has pix 6.2 as default gaetway i.e.
a.b.c.host1

I also have a default gateway webservices.essex.edu at
a.b.c.host2

which resides in the dmz and has defalut gateway as pix 6.2 i.e.
a.b.c.host1

Anyone accessing webserices.essex.edu from outside is able to see it's actual IP address.

I want to implement NAT and need to decide which of the following options to go with:

1.webservices's present IP translates to a real IP which wont be associated with any machine.
or
2. can I change the webserver's current ip to a dummy ip which translates to a  real IP which wont be associated with any machine. will this still allow my vlans to access the webserver?

Are both possible, if yes, which one is better and why?

thanks!
net-geek



0
Comment
Question by:net-geek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 100 total points
ID: 8227920
Hmm, sounds tricky.   But I think both are possible.  

If I read that right, you have a 3 pronged PIX with inside, outside, and DMZ.  

You have 1 host in the DMZ which wants to hide the ip from the outside (inside you dont care)

You have hosts on the inside which need the dmz host.  
outside 10.10.1.0
dmz 172.28.0.0
inside 192.168.1.0

Id say create a static for the DMZ host
static (DMZ,outside) 10.10.1.1,172.28.1.1 netmask 255.255.255.255 0 0

this will hide the DMZ host's ID 172.28.1.1, everyone ouside will use your public IP of 10.10.1.1 (yeah i know thats not public, but this is an example)

Create an access-list to allow outside people access to the DMZ,
access-list ACL-OUT permit tcp any host 172.28.1.1 eq www
access-group ACL-OUT in interface outside

That will hide the true address from the outside.  
Build the NATS around that
global (outside) 1 10.10.1.10-10.10.1.15
global (perimeter) 1 172.28.1.10-172.28.1.15
nat (inside) 1 192.168.1.0 255.255.255.0 0 0

That will allow inside clients access to the dmz and outside with natted addresses.  Nothing gets to the inside and outside cant get to the DMZ.

Good luck
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8452938
G'day, net-geek
It has been 37 days since you posted this question.
Do you still need help? Have you received enough information?
Can you close out this question?
Ways to close questions: http://www.apollois.com/EE/Help/Closing_Questions.htm
0
 

Author Comment

by:net-geek
ID: 8462356
Thanks,
I am sorry for the delay.
vik
0
 

Expert Comment

by:tcminh
ID: 8689428

Is there anybody help me to setup inside users can access to the DMZ in PIX 515E?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8689710
tcminh,
Yes, but you need to post your own question.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month14 days, 14 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question