[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PIX 501 DMZ to Internal Hosts Ports

Posted on 2006-05-06
4
Medium Priority
?
533 Views
Last Modified: 2010-04-09
My current setup is a router performing NAT to servers on a DMZ.  It looks like this:  router>switch>DMZ Hosts (192.168.88.X).   The router has an internal interface ip address of 192.168.88.1  I just put in a 501 PIX coming off the switch with E0 192.168.88.2 and E1 192.168.100.1 and a route statement of 0 0 192.168.88.1.  I want to move most of my serves into the 192.168.100.X subnet behind the PIX leaving only a few servers in the DMZ, hosts 192.168.88.26, 192.168.88.30, 192.168.88.37, and 192.168.88.39 respectively.  I need to have these DMZ hosts to talk to specific internal hosts through certain ports.  A few questions:

1.)  First question should I disable NAT on the PIX since the router is already NATing?

2.)  Second, will I be using port forwarding or simple static xlation statements with access lists?  (I really don't understand the difference)

Here is a sample of what I would like to do:

For:
Protocol TCP Source 192.168.88.26 Destination 192.168.1.23 Port 7815
static (inside,outside) 192.168.1.23 192.168.1.23 netmask 255.255.255.255
access-list DMZ permit tcp host 192.168.88.26 host 192.168.1.23 eq 7815
access-group dmz in interface outside

Will this work?

Much help is appreciated since I need to configure this by today.  Thanks
0
Comment
Question by:lewylupo
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 16621413
1) Yes, you can disable nat with a static network statement:
 static (inside,outside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

2) with the above static network nat, you will still need an acl just like you have, applied to the interface just like you show.
0
 

Author Comment

by:lewylupo
ID: 16621813
I've added the exact statement from my previous post and it did not work...

static (inside,outside) 192.168.1.23 192.168.1.23 netmask 255.255.255.255
access-list DMZ permit tcp host 192.168.88.26 host 192.168.1.23 eq 7815
access-group dmz in interface outside

what am i missing?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 16621842
> E1 192.168.100.1
>static (inside,outside) 192.168.1.23 192.168.1.23 netmask 255.255.255.255
You do not have 192.168.1.xx on the inside. You have 192.168.100.x

try this:
 no static (inside,outside) 192.168.1.23 192.168.1.23 netmask 255.255.255.255
 static (inside,outside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
0
 

Author Comment

by:lewylupo
ID: 16621967
DUH!!!  Thanks for you help...its working now
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month19 days, 7 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question