• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 553
  • Last Modified:

PIX 501 DMZ to Internal Hosts Ports

My current setup is a router performing NAT to servers on a DMZ.  It looks like this:  router>switch>DMZ Hosts (192.168.88.X).   The router has an internal interface ip address of 192.168.88.1  I just put in a 501 PIX coming off the switch with E0 192.168.88.2 and E1 192.168.100.1 and a route statement of 0 0 192.168.88.1.  I want to move most of my serves into the 192.168.100.X subnet behind the PIX leaving only a few servers in the DMZ, hosts 192.168.88.26, 192.168.88.30, 192.168.88.37, and 192.168.88.39 respectively.  I need to have these DMZ hosts to talk to specific internal hosts through certain ports.  A few questions:

1.)  First question should I disable NAT on the PIX since the router is already NATing?

2.)  Second, will I be using port forwarding or simple static xlation statements with access lists?  (I really don't understand the difference)

Here is a sample of what I would like to do:

For:
Protocol TCP Source 192.168.88.26 Destination 192.168.1.23 Port 7815
static (inside,outside) 192.168.1.23 192.168.1.23 netmask 255.255.255.255
access-list DMZ permit tcp host 192.168.88.26 host 192.168.1.23 eq 7815
access-group dmz in interface outside

Will this work?

Much help is appreciated since I need to configure this by today.  Thanks
0
lewylupo
Asked:
lewylupo
  • 2
  • 2
1 Solution
 
lrmooreCommented:
1) Yes, you can disable nat with a static network statement:
 static (inside,outside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

2) with the above static network nat, you will still need an acl just like you have, applied to the interface just like you show.
0
 
lewylupoAuthor Commented:
I've added the exact statement from my previous post and it did not work...

static (inside,outside) 192.168.1.23 192.168.1.23 netmask 255.255.255.255
access-list DMZ permit tcp host 192.168.88.26 host 192.168.1.23 eq 7815
access-group dmz in interface outside

what am i missing?
0
 
lrmooreCommented:
> E1 192.168.100.1
>static (inside,outside) 192.168.1.23 192.168.1.23 netmask 255.255.255.255
You do not have 192.168.1.xx on the inside. You have 192.168.100.x

try this:
 no static (inside,outside) 192.168.1.23 192.168.1.23 netmask 255.255.255.255
 static (inside,outside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
0
 
lewylupoAuthor Commented:
DUH!!!  Thanks for you help...its working now
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now