?
Solved

PIX static and NAT questions plus a couple of others 500 pts.

Posted on 2005-03-28
8
Medium Priority
?
329 Views
Last Modified: 2010-04-09
Hello eveyone,

I have a couple of questions about my NAT statements and my statics.  I have a pix 515 running 6.3.3.  I have a public class C (216.93.100.0) that I mostly use for the NAT Pool, plus a a public Class C for my DMZ (216.93.101.0).  Hosts that get put in the DMZ actually get a public IP address.  My internal is 10.1.1.0.  My questions are as follows:

1. I want to make sure that I am bypassing NAT for communication from the internal to the DMZ, vice versa  I.E., I want to speed communication up between the two interfaces as much as possible.  I think I may be doing this, with this command, but I am not 100% sure.  static (inside,DMZ) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0.  I am not sure if I this is right though, b/c it seems that it would be static (inside, DMZ) 216.93.101.0 10.1.1.0 netmask 255.255.255.0 0 0.  

2.  What does the  command static (inside,DMZ) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0 do for me assuming that it is not answered in question 1?

3.  Why do I need this command: nat (DMZ) 0 216.93.101.0 255.255.255.0 0 0

4.   have one static statement that worries me as well.  It is as follows:  static (inside,outside) 216.93.101.8 10.1.1.35 netmask 255.255.255.255 0 0.  I also have this command:  static (DMZ,outside) 216.93.101.0 216.93.101.0 netmask 255.255.255.0 0 0.  Are these two statements fighting each other.  The server in question (10.1.1.35) is a mail server that is actually on my internal.  When I do a show xlate on the ip, I get the following Global 10.1.1.35 Local 10.1.1.35

5.  Do I need a nat pool for my dmz if I only have static IPs in there?  I.E., do I need this:  global (DMZ) 2 216.93.101.180-216.93.101.239 netmask 255.255.255.0

Thanks for the help in advance, and my relevant config is listed below.  




PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password XXXXXXXXXXXXXXXXX
passwd XXXXXXXXXXXXXXXXXXXXXX
hostname PIX515-PRI
domain-name business.com
names
name 216.93.101.4 ns
name 216.93.101.8 exchange
name 10.1.1.35 business-exch
name 10.1.1.30 backup
name 10.1.1.13 business1
name 216.93.101.22 monitor
object-group network WWW-Servers
  description Web Servers only No Terminal Servers
  network-object host 216.93.101.16
  network-object host 216.93.101.21
object-group network TS-Servers
  description Terminal Servers Only
  network-object host 216.93.100.4
  network-object host 216.93.101.30
object-group network SMTP-to-Exchange-Server
  description Hosts and networks allowed to e-mail exchange server
  network-object host 69.20.58.233
  network-object host 69.20.58.231
  network-object host 69.20.58.226
object-group network FTP-Servers
  network-object host 216.93.101.10
  network-object host 216.93.101.16
access-list ping-acl permit icmp any any
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.12.131.0 255.255.255.0
access-list dmz permit tcp host 216.93.101.19 host 216.93.101.18 eq www
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside 10.1.1.240
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu SQLDMZ 1500
mtu intf4 1500
mtu failover 1500
ip address outside 216.93.100.3 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip address DMZ 216.93.101.1 255.255.255.0
pdm history enable
arp timeout 14400
global (outside) 1 216.93.100.129-216.93.100.189
global (outside) 1 216.93.100.190
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 0 216.93.101.0 255.255.255.0 0 0
static (inside,DMZ) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0
static (inside,outside) exchange business-exch netmask 255.255.255.255 0 0
static (inside,outside) 216.93.100.6 10.1.1.240 netmask 255.255.255.255 0 0
static (inside,outside) 216.93.100.4 10.1.1.5 netmask 255.255.255.255 0 0
static (inside,DMZ) monitor 10.1.1.240 netmask 255.255.255.255 0 0
static (inside,outside) 216.93.100.12 10.1.1.45 netmask 255.255.255.255 0 0
static (DMZ,outside) 216.93.101.0 216.93.101.0 netmask 255.255.255.0 0 0
conduit permit icmp any any echo-reply
conduit permit icmp any any source-quench
conduit permit icmp any any unreachable
conduit permit icmp any any time-exceeded
conduit permit gre any any
conduit permit tcp any eq 4400 any
conduit permit udp any eq 4400 any
conduit permit udp host ns eq domain any
conduit permit tcp host 10.1.1.25 eq smtp host ns
conduit permit tcp host business1 eq 1433 host 216.93.101.17
conduit permit tcp host ns eq domain any
conduit permit tcp host backup eq 6103 216.93.101.0 255.255.255.0
conduit permit tcp host backup eq 10000 216.93.101.0 255.255.255.0
conduit permit tcp host 216.93.100.6 eq 8088 any
conduit permit udp host monitor eq snmp host 216.93.100.1
conduit permit udp host monitor eq snmptrap host 216.93.100.1
conduit permit udp host monitor eq syslog host 216.93.100.1
conduit permit udp host monitor eq syslog host 209.108.220.54
conduit permit tcp host 216.93.101.28 eq https host 203.193.141.63
conduit permit tcp host 216.93.101.28 eq www host 203.193.141.63
conduit permit tcp host 216.93.101.28 eq ftp host 203.193.141.63
conduit permit tcp host 216.93.101.28 eq 3389 host 203.193.141.63
conduit permit tcp host backup range 24001 24100 216.93.101.0 255.255.255.0
conduit permit udp host backup range 24001 24100 216.93.101.0 255.255.255.0
conduit permit tcp host exchange eq www any
conduit permit tcp host 10.1.1.9 eq sqlnet host 216.93.101.30
conduit permit tcp host 216.93.101.31 eq pop3 any
conduit permit tcp host 216.93.101.31 eq www any
conduit permit tcp host business1 eq 1433 216.93.101.0 255.255.255.0
conduit permit tcp host 10.1.1.9 eq 1433 216.93.101.0 255.255.255.0
conduit permit tcp host exchange eq smtp object-group SMTP-to-Exchange-Server
conduit permit tcp object-group TS-Servers eq 3389 any
conduit permit tcp object-group TS-Servers eq www any
conduit permit tcp object-group WWW-Servers eq www any
conduit permit tcp object-group WWW-Servers eq https any
conduit permit tcp object-group FTP-Servers eq ftp any
route outside 0.0.0.0 0.0.0.0 216.93.100.1 1
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-vpdn
vpdn group 1 client configuration dns 10.1.1.2
vpdn enable outside
terminal width 80
0
Comment
Question by:adsnetcurve
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 7

Expert Comment

by:minmei
ID: 13647337
>1. I want to make sure that I am bypassing NAT for communication from the internal to the DMZ, vice >versa  I.E., I want to speed communication up between the two interfaces as much as possible.  I think I >may be doing this, with this command, but I am not 100% sure.  static (inside,DMZ) 10.1.1.0 10.1.1.0 >netmask 255.255.255.0 0 0.  I am not sure if I this is right though, b/c it seems that it would be static
>(inside, DMZ) 216.93.101.0 10.1.1.0 netmask 255.255.255.0 0 0.  

You don't bypass NAT with static commands, you invoke it.

The second one (216.93.101.0) is the correct one, creating a nat rule for each host 10.1.1.x in the 10.1.1.0 range a corresponding 216.93.101.x address on the outside. Make sure there is no overlap in the actual hosts on the 216 network and the static translations for internal hosts.

The first rule should be deleted.

>2.  What does the  command static (inside,DMZ) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0 do for >me assuming that it is not answered in question 1?

Q1.

>3.  Why do I need this command: nat (DMZ) 0 216.93.101.0 255.255.255.0 0 0

This states there is no nat going on for addresses in the DMZ zone outbound to the outside interface. This is because you are using a public range on the DMZ, and do not need to NAT out to the outside.

NAT is used to allow RFC1918 internal-only addresses on the inside and sometimes DMZ to talk to the outside by using other, "real" internet addresses.

<4.   have one static statement that worries me as well.  It is as follows:  static (inside,outside)
<216.93.101.8 10.1.1.35 netmask 255.255.255.255 0 0.  I also have this command:  static (DMZ,outside) <216.93.101.0 216.93.101.0 netmask 255.255.255.0 0 0.  Are these two statements fighting each other.  <The server in question (10.1.1.35) is a mail server that is actually on my internal.  When I do a show <xlate on the ip, I get the following Global 10.1.1.35 Local 10.1.1.35

You can take the second command (with the matching ranges) out. NAT from the same address to the same address doesn't accomplish anything.  the other one is a single host NAT rule (216.93.101.8 10.1.1.35) for the 10.1.1.35 host to be reachable via 216.93.101.8 on the outside. This may be because you use the server on the inside for internal email users but want some access outside. Some people put all servers they want accessible from the outside on the DMZ, some don't.

>5.  Do I need a nat pool for my dmz if I only have static IPs in there?  I.E., do I need this:  global (DMZ) >2 216.93.101.180-216.93.101.239 netmask 255.255.255.0

No, not because you have statics, but because they are already public addresses.

0
 
LVL 1

Author Comment

by:adsnetcurve
ID: 13647562
Hmmm, I am a little confused by this, and need some more clarification:  

1.  I still don't want to do translation.  I want to make sure that NAT doesn't occur when I send traffic from the internal to the dmz.  I believe if I add this, (inside, DMZ) 216.93.101.0 10.1.1.0 netmask 255.255.255.0 0 0. It will create static mappings for every IP address in the dmz to every ip address in the internal.  I definitely don't want that as I have some IP addresses that are from the external to the internal.  I was told by having the static (inside,DMZ) 10.1.1.0 10.1.1.0 that I was bypassing nat to the dmz.

I still don't understand the command static (inside,DMZ) 10.1.1.0 10.1.1.0

2.  I have to do the static (dmz,external) 216.93.101.0 216.93.101.0 255.255.255.0 0 0 so that I don't have xlate issues.  I have been through that before.  I know that a static is needed for every host in the dmz to itself, or the xlate gets corrupted, I have to clear it, and then generate traffic from the machine out to the world.   Not a good situation.  That being said, am I causing a conflict by having static (dmz,external) 216.93.101.0 216.93.101.0 255.255.255.0 0 0 with 216.93.101.8 10.1.1.35 netmask 255.255.255.255 0 0
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13648103
>I still don't understand the command static (inside,DMZ) 10.1.1.0 10.1.1.0
This command is doing exactly what you want - bypassing NAT. Subnet 10.1.1.0 on the inside = 10.1.1.0 on the DMZ, no change, no NAT, same on both sides.

>That being said, am I causing a conflict by having static (dmz,external) 216.93.101.0 216.93.101.0 255.255.255.0 0 0 with 216.93.101.8 10.1.1.35 netmask 255.255.255.255 0 0
Yes. You can't have it both ways with a subnet NAT (actually bypassing NAT for the DMZ) and have a static nat at the same time redirecting to an inside host.

I would seriously consider applying a private IP address to the servers and doing a specific 1-1 NAT statement to map the private IP to a public IP.


 
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 
LVL 7

Expert Comment

by:minmei
ID: 13648372
One of the things that is very hard to understand is that the PIX is _not_ a router. There is no way to talk between interfaces unless you go by the PIX rules, either conduit and static/global(NAT) or ACL's and static/global(NAT).

I would also consider changing from conduits to ACL's, because the conduit commands apply to all traffic from a lower security to a higher (outside to DMZ or inside, and DMZ to inside) but ACL's allow you to be more specific as to which traffic is allowed from outside rather than DMZ.
0
 
LVL 1

Author Comment

by:adsnetcurve
ID: 13648558
Yes, I would like to go to the internal IPs and nat between the external and DMZ, but at this time it isn't possible.  I would have to re-IP a whole lot of stuff that .  I am cleaning up my firewall config as much as possible so that I can take it to access-lists.  After that, I wil

LLMoore,

>That being said, am I causing a conflict by having static (dmz,external) 216.93.101.0 216.93.101.0 255.255.255.0 0 0 with 216.93.101.8 10.1.1.35 netmask 255.255.255.255 0 0
Yes. You can't have it both ways with a subnet NAT (actually bypassing NAT for the DMZ) and have a static nat at the same time redirecting to an inside host.


If I remove the  static (dmz,external) 216.93.101.0 216.93.101.0 255.255.255.0 0 0 and do individual statics for each IP address in question, this would not be an issue...correct?  I.E. for host 216.93.101.7, I would do a static (DMZ,external) 216.93.101.7 216.93.101.7 netmask 255.255.255.255 0 0.  This would then allow me to not have a conflict with Static (internal, external) 216.93.101.8 10.1.1.35 netmask 255.255.255.255 0 0
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13648591
Correct. You can do this quite easily, with private IP's in your DMZ.

YES:
ip address dmz 172.16.16.1 255.255.255.0
static (DMZ,outside) 216.93.101.7 172.16.16.7 netmask 255.255.255.255
static (dmz,outside) 216.93.101.8 172.16.16.8 netmask 255.255.255.255
static (dmz,outside) 216.93.101.9 172.16.16.9 netmask 255.255.255.255
static (dmz,outside) 216.93.101.10 172.16.16.10 netmask 255.255.255.255
static (inside,outside) 216.93.101.11 10.1.1.11 netmaks 255.255.255.255

What you cannot do, is assign a public IP to the DMZ interface, and still map it to an inside host:
NO:
ip address DMZ 216.93.101.1 255.255.255.0
static (DMZ,outside) 216.93.101.7 216.93.101.7 netmask 255.255.255.255
static (DMZ,outside) 216.93.101.8 216.93.101.8 netmask 255.255.255.255
static (DMZ,outside) 216.93.101.9 216.93.101.9 netmask 255.255.255.255
static (inside,outside) 216.93.101.11 10.1.1.11 netmask 255.255.255.255  <= the 216.93.101.0 subnet is assigned to the DMZ only

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13703263
How's it going?  Do you need more information?
Can you close this question?

http://www.experts-exchange.com/help.jsp#hs5

Thanks for attending to this open question.

<-8}
0
 
LVL 7

Expert Comment

by:minmei
ID: 13706889
Good luck with all that.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question