Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 512
  • Last Modified:

NAT for DMZ on PIX?

I have a cat 6509 swtich with 4 vlans
x.y.80.z
x.y.81.z
x.y.89.z
x.y.253.z

Cat has pix 6.2 as default gaetway i.e.
a.b.c.host1

I also have a default gateway webservices.essex.edu at
a.b.c.host2

which resides in the dmz and has defalut gateway as pix 6.2 i.e.
a.b.c.host1

Anyone accessing webserices.essex.edu from outside is able to see it's actual IP address.

I want to implement NAT and need to decide which of the following options to go with:

1.webservices's present IP translates to a real IP which wont be associated with any machine.
or
2. can I change the webserver's current ip to a dummy ip which translates to a  real IP which wont be associated with any machine. will this still allow my vlans to access the webserver?

Are both possible, if yes, which one is better and why?

thanks!
net-geek



0
net-geek
Asked:
net-geek
1 Solution
 
MikeKaneCommented:
Hmm, sounds tricky.   But I think both are possible.  

If I read that right, you have a 3 pronged PIX with inside, outside, and DMZ.  

You have 1 host in the DMZ which wants to hide the ip from the outside (inside you dont care)

You have hosts on the inside which need the dmz host.  
outside 10.10.1.0
dmz 172.28.0.0
inside 192.168.1.0

Id say create a static for the DMZ host
static (DMZ,outside) 10.10.1.1,172.28.1.1 netmask 255.255.255.255 0 0

this will hide the DMZ host's ID 172.28.1.1, everyone ouside will use your public IP of 10.10.1.1 (yeah i know thats not public, but this is an example)

Create an access-list to allow outside people access to the DMZ,
access-list ACL-OUT permit tcp any host 172.28.1.1 eq www
access-group ACL-OUT in interface outside

That will hide the true address from the outside.  
Build the NATS around that
global (outside) 1 10.10.1.10-10.10.1.15
global (perimeter) 1 172.28.1.10-172.28.1.15
nat (inside) 1 192.168.1.0 255.255.255.0 0 0

That will allow inside clients access to the dmz and outside with natted addresses.  Nothing gets to the inside and outside cant get to the DMZ.

Good luck
0
 
lrmooreCommented:
G'day, net-geek
It has been 37 days since you posted this question.
Do you still need help? Have you received enough information?
Can you close out this question?
Ways to close questions: http://www.apollois.com/EE/Help/Closing_Questions.htm
0
 
net-geekAuthor Commented:
Thanks,
I am sorry for the delay.
vik
0
 
tcminhCommented:

Is there anybody help me to setup inside users can access to the DMZ in PIX 515E?
0
 
lrmooreCommented:
tcminh,
Yes, but you need to post your own question.
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now